3CX Supply Chain Attack
Contents
3CX Supply Chain Attack
Taking a closer look at the delivery of this malware
- Overview
- References
- Samples
- Analysis
Overview
From the Volexity post
CrowdStrike identified signed 3CX installation files as being malicious and reported that customers were seeing malicious activity emanating from the “3CXDesktopApp”.
3CX is client software for VOIP phones, that was delivered to targets with a backdoor. The backdoored application was delivered in an MSI
3CXDesktopApp-18.12.416.msi which is signed by a valid certificate belonging to 3Cx Ltd.
References
- 3CX Supply Chain Compromise Leads to ICONIC Incident- CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers
- SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack
Samples
-
3CXDesktopApp-18.12.416.msi59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983
-
icon15.icof47c883f59a4802514c57680de3f41f690871e26f250c6e890651ba71027e4d3
Analysis
Let's take a look at the
.msi and see what is in there, we can just use 7zip to unzip it. Inside the
.msi we have a backdoored file
ffmpeg.dll
Stage 1
ffmpeg.dll
Artifacts
-
ffmpeg.dll7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
-
d3dcompiler_47.dll11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03
Functionality
- Uses
CreateEventWwith the string
AVMonitorRefreshEventlike a mutex to ensure it is only running once
- Gets its process path (file location) to locate
d3dcompiler_47.dllwhich …
Taking a closer look at the delivery of this malware
- Overview
- References
- Samples
- Analysis
Overview
From the Volexity post
CrowdStrike identified signed 3CX installation files as being malicious and reported that customers were seeing malicious activity emanating from the “3CXDesktopApp”.
3CX is client software for VOIP phones, that was delivered to targets with a backdoor. The backdoored application was delivered in an MSI
3CXDesktopApp-18.12.416.msi which is signed by a valid certificate belonging to 3Cx Ltd.
References
- 3CX Supply Chain Compromise Leads to ICONIC Incident- CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers
- SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack
Samples
-
3CXDesktopApp-18.12.416.msi59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983
-
icon15.icof47c883f59a4802514c57680de3f41f690871e26f250c6e890651ba71027e4d3
Analysis
Let's take a look at the
.msi and see what is in there, we can just use 7zip to unzip it. Inside the
.msi we have a backdoored file
ffmpeg.dll
Stage 1
ffmpeg.dll
Artifacts
-
ffmpeg.dll7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
-
d3dcompiler_47.dll11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03
Functionality
- Uses
CreateEventWwith the string
AVMonitorRefreshEventlike a mutex to ensure it is only running once
- Gets its process path (file location) to locate
d3dcompiler_47.dllwhich …
IoC
11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03
59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983
7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
b56279136d816a11cf4db9fc1b249da04b3fa3aef4ba709b20cdfbe572394812
f47c883f59a4802514c57680de3f41f690871e26f250c6e890651ba71027e4d3
https://pbxsources.com/exchange
https://raw.githubusercontent.com/IconStorages/images/main/icon%d.ico
59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983
7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
b56279136d816a11cf4db9fc1b249da04b3fa3aef4ba709b20cdfbe572394812
f47c883f59a4802514c57680de3f41f690871e26f250c6e890651ba71027e4d3
https://pbxsources.com/exchange
https://raw.githubusercontent.com/IconStorages/images/main/icon%d.ico