Mac-ing sense of the 3CX supply chain attack: analysis of the macOS payloads
Contents
2023
LONDON
4 - 6 October, 2023 / London, United Kingdom
MAC-ING SENSE OF THE 3CX SUPPLY CHAIN
ATTACK: ANALYSIS OF THE MACOS PAYLOADS
Patrick Wardle
Objective-See, USA
[email protected]
www.virusbulletin.com
MAC-ING SENSE OF THE 3CX SUPPLY CHAIN ATTACK: ANALYSIS OF THE MACOS PAYLOADS WARDLE
ABSTRACT
Supply chain attacks are some of the most damaging cybersecurity incidents, capable of infecting a massive number of
unsuspecting users and companies through widely used and trusted software. And although the majority of such attacks
impact Windows-based computers, the recent nation-state attack against the popular PBX software provider 3CX was also
capable of infecting macOS systems.
Believed to be the first ‘chained’ supply chain attack (where initial access to 3CX was gained via a separate supply chain
attack), this paper will focus on its macOS payloads. To start, we will analyse the implant installed by the attackers to
maintain persistent access to 3CX’s macOS build server. Then, we will dive into the malicious library that was
surreptitiously slipstreamed into a malicious update …
LONDON
4 - 6 October, 2023 / London, United Kingdom
MAC-ING SENSE OF THE 3CX SUPPLY CHAIN
ATTACK: ANALYSIS OF THE MACOS PAYLOADS
Patrick Wardle
Objective-See, USA
[email protected]
www.virusbulletin.com
MAC-ING SENSE OF THE 3CX SUPPLY CHAIN ATTACK: ANALYSIS OF THE MACOS PAYLOADS WARDLE
ABSTRACT
Supply chain attacks are some of the most damaging cybersecurity incidents, capable of infecting a massive number of
unsuspecting users and companies through widely used and trusted software. And although the majority of such attacks
impact Windows-based computers, the recent nation-state attack against the popular PBX software provider 3CX was also
capable of infecting macOS systems.
Believed to be the first ‘chained’ supply chain attack (where initial access to 3CX was gained via a separate supply chain
attack), this paper will focus on its macOS payloads. To start, we will analyse the implant installed by the attackers to
maintain persistent access to 3CX’s macOS build server. Then, we will dive into the malicious library that was
surreptitiously slipstreamed into a malicious update …
IoC
451c23709ecd5a8461ad060f6346930c
5555494424668e99d3173e03a74c86801f09f4a9
55554944839216049d683075bc3f5a8628778bb8
6C121F2B2EFA6592C2C22B29218157EC9E63F385E7A1D7425857D603DDEF8C59
a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67
d9d19abffc2c7dac11a16745f4aea44f
http://sbmsa.wiki
https://airbseeker.com/rediret.php
https://akamaitechcloudservices.com/v2/fileapi
https://globalkeystroke.com/pockbackx.php
https://sbmsa.wiki/blog/_insert
https://servicemax.3cx.com/provisioning/<redacted>/<redacted>/<redacted>.xml
https://twitter.com/CrowdStrike/status/1641167508215349249
https://twitter.com/juanandres_gs/status/1642151623605510144
rule MTI_Hunting_POOLRAT {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production
environment"
description = "Detects strings found in POOLRAT. "
md5 = "451c23709ecd5a8461ad060f6346930c"
date = "10/28/2020"
version = "1"
strings:
$str1 = "name=\"uid\"%s%s%u%s" wide ascii
$str2 = "name=\"session\"%s%s%u%s" wide ascii
$str3 = "name=\"action\"%s%s%s%s" wide ascii
$str4 = "name=\"token\"%s%s%u%s" wide ascii
$boundary = "--N9dLfqxHNUUw8qaUPqggVTpX-" wide ascii nocase
condition:
any of ($str*) or $boundary
}
rule XProtect_MACOS_c723519
{
meta:
description = "MACOS.c723519"
strings:
$s1 = { 5F 6D 5F 43 6F 6E 66 69 67 }
$s2 = { 5F 5F 5A 39 53 65 74 43 6F 6E 66 69 67 76 }
$s3 = { 5F 5F 5A 31 30 4C 6F 61 64 43 6F 6E 66 69 67 76 }
$s4 = { 5F 5F 5A 31 30 53 61 76 65 43 6F 6E 66 69 67 76 }
$s5 = { 5F 5F 5A 31 33 4D 65 73 73 61 67 65 54 68 72 65 61 64 76 }
condition:
Macho and filesize < 100KB and all of them
}
5555494424668e99d3173e03a74c86801f09f4a9
55554944839216049d683075bc3f5a8628778bb8
6C121F2B2EFA6592C2C22B29218157EC9E63F385E7A1D7425857D603DDEF8C59
a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67
d9d19abffc2c7dac11a16745f4aea44f
http://sbmsa.wiki
https://airbseeker.com/rediret.php
https://akamaitechcloudservices.com/v2/fileapi
https://globalkeystroke.com/pockbackx.php
https://sbmsa.wiki/blog/_insert
https://servicemax.3cx.com/provisioning/<redacted>/<redacted>/<redacted>.xml
https://twitter.com/CrowdStrike/status/1641167508215349249
https://twitter.com/juanandres_gs/status/1642151623605510144
rule MTI_Hunting_POOLRAT {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production
environment"
description = "Detects strings found in POOLRAT. "
md5 = "451c23709ecd5a8461ad060f6346930c"
date = "10/28/2020"
version = "1"
strings:
$str1 = "name=\"uid\"%s%s%u%s" wide ascii
$str2 = "name=\"session\"%s%s%u%s" wide ascii
$str3 = "name=\"action\"%s%s%s%s" wide ascii
$str4 = "name=\"token\"%s%s%u%s" wide ascii
$boundary = "--N9dLfqxHNUUw8qaUPqggVTpX-" wide ascii nocase
condition:
any of ($str*) or $boundary
}
rule XProtect_MACOS_c723519
{
meta:
description = "MACOS.c723519"
strings:
$s1 = { 5F 6D 5F 43 6F 6E 66 69 67 }
$s2 = { 5F 5F 5A 39 53 65 74 43 6F 6E 66 69 67 76 }
$s3 = { 5F 5F 5A 31 30 4C 6F 61 64 43 6F 6E 66 69 67 76 }
$s4 = { 5F 5F 5A 31 30 53 61 76 65 43 6F 6E 66 69 67 76 }
$s5 = { 5F 5F 5A 31 33 4D 65 73 73 61 67 65 54 68 72 65 61 64 76 }
condition:
Macho and filesize < 100KB and all of them
}