Mac-ing Sense of the 3CX Supply Chain Attack: Analysis of the macOS Payloads
Contents
Supply chain attacks are some of the most damaging cybersecurity incidents, capable of infecting a massive number of unsuspecting users and companies through widely used and trusted software. And although the majority of such attacks impact Windows-based computers, the recent nation-state attack against the popular PBX software provider 3CX, was also capable of infecting macOS systems.
Believed to be the first "chained" supply chain attack (where initial access to 3CX was gained via a separate supply chain attack), this talk will focus on its macOS payloads. To start, we will analyze the implant installed by the attackers to maintain persistent access to 3CX's macOS build server. Then, we will dive into the malicious library that was surreptitiously slipstreamed into a malicious update and installed globally by 3CX's unsuspecting macOS enterprise users. Lastly, we'll detail the core capabilities of the self-deleting 2nd-stage payload, as well as tackle several questions it raised.
The talk …
Believed to be the first "chained" supply chain attack (where initial access to 3CX was gained via a separate supply chain attack), this talk will focus on its macOS payloads. To start, we will analyze the implant installed by the attackers to maintain persistent access to 3CX's macOS build server. Then, we will dive into the malicious library that was surreptitiously slipstreamed into a malicious update and installed globally by 3CX's unsuspecting macOS enterprise users. Lastly, we'll detail the core capabilities of the self-deleting 2nd-stage payload, as well as tackle several questions it raised.
The talk …
IoC
451c23709ecd5a8461ad060f6346930c
5555494424668e99d3173e03a74c86801f09f4a9
55554944839216049d683075bc3f5a8628778bb8
https://airbseeker.com/rediret.php
https://airbseeker.com/rediret.php...https://globalkeystroke.com/pockbackx.php...https://
https://akamaitechcloudservices.com/v2/fileapi
https://globalkeystroke.com/pockbackx.php
https://sbmsa.wiki/blog/_insert
https://taomm.org
https://www.woodmate.it/administrator/help/en-GB/bins/tags/taghelper.php
rule MTI_Hunting_POOLRAT {
meta:
author = "Mandiant"
...
md5 = "451c23709ecd5a8461ad060f6346930c"
01
02
03
04
05
rule XProtect_MACOS_c723519 {
meta:
description = "MACOS.c723519"
strings:
$s1 = { 5F 6D 5F 43 6F 6E 66 69 67 }
$s2 = { 5F 5F 5A 39 53 65 74 43 6F 6E 66 69 67 76 }
$s3 = { 5F 5F 5A 31 30 4C 6F 61 64 43 6F 6E 66 69 67 76 }
...
condition:
Macho and filesize < 100KB and all of them
}
5555494424668e99d3173e03a74c86801f09f4a9
55554944839216049d683075bc3f5a8628778bb8
https://airbseeker.com/rediret.php
https://airbseeker.com/rediret.php...https://globalkeystroke.com/pockbackx.php...https://
https://akamaitechcloudservices.com/v2/fileapi
https://globalkeystroke.com/pockbackx.php
https://sbmsa.wiki/blog/_insert
https://taomm.org
https://www.woodmate.it/administrator/help/en-GB/bins/tags/taghelper.php
rule MTI_Hunting_POOLRAT {
meta:
author = "Mandiant"
...
md5 = "451c23709ecd5a8461ad060f6346930c"
01
02
03
04
05
rule XProtect_MACOS_c723519 {
meta:
description = "MACOS.c723519"
strings:
$s1 = { 5F 6D 5F 43 6F 6E 66 69 67 }
$s2 = { 5F 5F 5A 39 53 65 74 43 6F 6E 66 69 67 76 }
$s3 = { 5F 5F 5A 31 30 4C 6F 61 64 43 6F 6E 66 69 67 76 }
...
condition:
Macho and filesize < 100KB and all of them
}