3CX In The Wild
Contents
Table of Content
Executive Summary
Technical Detail
Background
How to exploit
How to audit
Conclusion
| 3CX IN THE WILD: Software Supply Chain Attack In Cyber Kill Chain
Executive Summary
On March 29, 2023, CrowdStrike and SentinelOne both reported on a supply
chain attack involving 3CXDesktopApp, a multi-platform desktop application
that enables users to communicate via chat, messaging, video, and voice. The
attack was initiated by a threat actor believed to be affiliated with the
Lazarus Group, who was able to insert arbitrary code into the official build of
the software.
As a result of the attack, users who downloaded and ran the 3CXDesktopApp
installer from the developer's website were unwittingly exposing their
systems to the malicious code. The attack targeted both Windows and MacOS
users, and involved the execution of the file 3CXDesktopApp.exe, which loads
a malicious library file named ffmpeg.dll.
When a victim machine downloads the software update, it installs a valid
signed 3CX MSI installer version 18.12.416, which extracts multiple files and
executes the 3CXDesktopApp.exe application. The 3CXDesktopApp.exe …
Executive Summary
Technical Detail
Background
How to exploit
How to audit
Conclusion
| 3CX IN THE WILD: Software Supply Chain Attack In Cyber Kill Chain
Executive Summary
On March 29, 2023, CrowdStrike and SentinelOne both reported on a supply
chain attack involving 3CXDesktopApp, a multi-platform desktop application
that enables users to communicate via chat, messaging, video, and voice. The
attack was initiated by a threat actor believed to be affiliated with the
Lazarus Group, who was able to insert arbitrary code into the official build of
the software.
As a result of the attack, users who downloaded and ran the 3CXDesktopApp
installer from the developer's website were unwittingly exposing their
systems to the malicious code. The attack targeted both Windows and MacOS
users, and involved the execution of the file 3CXDesktopApp.exe, which loads
a malicious library file named ffmpeg.dll.
When a victim machine downloads the software update, it installs a valid
signed 3CX MSI installer version 18.12.416, which extracts multiple files and
executes the 3CXDesktopApp.exe application. The 3CXDesktopApp.exe …
IoC
0eeb1c0133eb4d571178b2d9d14ce3e9
20d554a80d759c50d6537dd7097fed84dd258b3e
704db9184700481a56e5100fb56496ce
769383fc65d1386dd141c960c9970114547da0c2
82187ad3f0c6c225e2fba0c867280cc9
9e9a5f8d86356796162cee881c843cde9eaedfb3
bf939c9c261d27ee7bb92325cc588624fca75429
cad1120d91b812acafef7175f949dd1b09c6c21a
cb01ff4809638410a531400a66376fa3
http://akamaicontainer.com
http://akamaitechcloudservices.com
http://azuredeploystore.com
http://azureonlinecloud.com
http://azureonlinestorage.com
http://dunamistrd.com
http://github.com/IconStorages/images
http://glcloudservice.com
http://journalide.org
http://msedgepackageinfo.com
http://msstorageazure.com
http://msstorageboxes.com
http://officeaddons.com
http://officestoragebox.com
http://pbxcloudeservices.com
http://pbxphonenetwork.com
http://pbxsources.com
https://akamaitechcloudservices.com/v2/storage
https://azuredeploystore.com/cloud/services
https://azureonlinestorage.com/azure/storage
https://glcloudservice.com/v1/console
https://msedgepackageinfo.com/microsoft-edge
https://msedgeupdate.net/Windows
https://msstorageazure.com/window
https://msstorageboxes.com/office
https://objective-see.org/blog/blog_0x73.html
https://officeaddons.com/technologies
https://officestoragebox.com/api/session
https://pbxcloudeservices.com/phonesystem
https://pbxphonenetwork.com/voip
https://pbxsources.com/exchange
https://sbmsa.wiki/blog/_insert
https://sourceslabs.com/downloads
https://visualstudiofactory.com/workload
20d554a80d759c50d6537dd7097fed84dd258b3e
704db9184700481a56e5100fb56496ce
769383fc65d1386dd141c960c9970114547da0c2
82187ad3f0c6c225e2fba0c867280cc9
9e9a5f8d86356796162cee881c843cde9eaedfb3
bf939c9c261d27ee7bb92325cc588624fca75429
cad1120d91b812acafef7175f949dd1b09c6c21a
cb01ff4809638410a531400a66376fa3
http://akamaicontainer.com
http://akamaitechcloudservices.com
http://azuredeploystore.com
http://azureonlinecloud.com
http://azureonlinestorage.com
http://dunamistrd.com
http://github.com/IconStorages/images
http://glcloudservice.com
http://journalide.org
http://msedgepackageinfo.com
http://msstorageazure.com
http://msstorageboxes.com
http://officeaddons.com
http://officestoragebox.com
http://pbxcloudeservices.com
http://pbxphonenetwork.com
http://pbxsources.com
https://akamaitechcloudservices.com/v2/storage
https://azuredeploystore.com/cloud/services
https://azureonlinestorage.com/azure/storage
https://glcloudservice.com/v1/console
https://msedgepackageinfo.com/microsoft-edge
https://msedgeupdate.net/Windows
https://msstorageazure.com/window
https://msstorageboxes.com/office
https://objective-see.org/blog/blog_0x73.html
https://officeaddons.com/technologies
https://officestoragebox.com/api/session
https://pbxcloudeservices.com/phonesystem
https://pbxphonenetwork.com/voip
https://pbxsources.com/exchange
https://sbmsa.wiki/blog/_insert
https://sourceslabs.com/downloads
https://visualstudiofactory.com/workload