Unc4736

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
UNC4736, a threat actor suspected to have North Korean connections, has been implicated in a series of cybersecurity breaches. The group gained initial access to the 3CX environment when an employee downloaded a financial trading package named X_TRADER from Trading Technologies' website. Unbeknownst to the user, UNC4736 had previously breached Trading Technologies' systems and inserted a backdoor into the X_TRADER app's installation file. This allowed the group to gain access to the employee's 3CX administrator credentials, which they used to infiltrate the company's network environment via a VPN connection and move laterally within the system. The incident response group Mandiant, part of Google Cloud, attributed the 3CX campaign to UNC4736. CrowdStrike, a threat intelligence firm, also tracks this group under the codename "Labyrinth Chollima," more commonly known as Lazarus Group. Notably, elements of this group were reportedly behind the X_TRADER supply chain attack discovered earlier in the year. Furthermore, Mandiant attributes both supply chain attacks to North Korean criminals tracked as UNC4736, suggesting that this is not a new group but likely related to another financially motivated North Korean operation known as AppleJeus. The UNC4736 group successfully compromised both 3CX’s Windows and macOS build environments, reinforcing the assessment of its North Korean nexus. This connection was further supported by ESET's discovery of an overlapping command-and-control (C2) domain employed in the supply chain attack and that of a Lazarus Group campaign called Operation Dream Job. The original compromise of Trading Technologies occurred at least a year ago, with a malicious X_TRADER software package available for download on the financial trading business’s website in early 2022.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
AppleJeus
2
AppleJeus is a notorious malware attributed to the North Korean APT Lazarus Group, designed primarily to steal cryptocurrency. This malicious software has been a key instrument in North Korea's financial theft operations, with threat groups pilfering $2.3 billion USD worth of crypto assets between M
Labyrinth Chollima
2
Labyrinth Chollima, a threat actor linked to North Korea, has been involved in numerous malicious activities since 2009. Tracked by CrowdStrike and other cybersecurity organizations, Labyrinth Chollima is part of the Lazarus Group, known for stealthy attacks targeting various industries such as acad
Lazarus Group
2
The Lazarus Group, a notorious threat actor believed to be linked to North Korea, has been attributed with a series of significant cyber-attacks over the past few years. The group's malicious activities include the exploitation of digital infrastructure, stealing cryptocurrency, and executing large-
Veiledsignal
1
VeiledSignal is a threat actor known for its sophisticated cyberattacks, which typically involve the use of trojanized software to infiltrate systems and networks. In one significant incident, VeiledSignal compromised an employee's personal computer by embedding malware, detected as Win32/NukeSped.M
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Mandiant
Korean
3cx
Backdoor
Apt
Malware
Macos
Vpn
Eset
Operation Dr...
Cybercrime
Windows
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Unc4736 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
BankInfoSecurity
8 months ago
North Korean Hacking Alert Sounded by UK and South Korea
BankInfoSecurity
9 months ago
Researchers: North Korean Hackers Gain Speed, Flexibility
CERT-EU
a year ago
N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX
CERT-EU
a year ago
An earlier supply chain attack led to the 3CX supply chain attack, Mandiant says • The Register | #cybercrime | #infosec – National Cyber Security Consulting
CERT-EU
a year ago
N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX
CERT-EU
a year ago
The 3CX attack gets wilder, marks first 'cascading software supply chain compromise'
CERT-EU
a year ago
Cyber Security Week In Review: July 21, 2023
DARKReading
a year ago
3CX Supply Chain Attack Tied to Financial Trading App Breach
InfoSecurity-magazine
a year ago
North Korean Hacker Suspected in 3CX Software Supply Chain Attack
BankInfoSecurity
a year ago
North Korean APT Group Now Deploying Linux Malware Variant
BankInfoSecurity
a year ago
North Korean Hackers Chained Supply Chain Hacks to Reach 3CX
CERT-EU
a year ago
3CX supply chain hack also impacted critical infrastructure orgs in the US and Europe
CERT-EU
a year ago
Infected app on employee’s PC led to 3CX compromise: Report | IT World Canada News
CERT-EU
a year ago
Cascading Supply Chain Attack: 3CX Hacked After Employee Downloaded Trojanized App