lazarusholic

Everyday is lazarus.dayβ

3CX users under DLL-sideloading attack: What you need to know

2023-03-29, Sophos
https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/
#SupplyChain #3CXDesktopApp #SmoothOperator

Contents

Sophos X-Ops is tracking a developing situation concerning a seeming supply-chain attack against the 3CX Desktop application, possibly undertaken by a nation-state-related group. This page provides an overview of the situation, a threat analysis, information for hunters, and information on detection protection.
We will update this page as events and understanding develop, including our threat and detection guidance.
[First version published 7pm PDT 29-March-2023]
Overview
The affected software is 3CX – a legitimate software-based PBX phone system available on Windows, Linux, Android, and iOS. The application has been abused by the threat actor to add an installer that communicates with various command-and-control (C2) servers.
The software is a digitally signed version of the softphone desktop client for Windows and is packaged with a malicious payload. The most common post-exploitation activity observed to date is the spawning of an interactive command shell.
At present, the only platform confirmed by our customer data to be affected is Windows.
Threat …

IoC

http://akamaicontainer.com
http://akamaitechcloudservices.com
http://azuredeploystore.com
http://azureonlinecloud.com
http://azureonlinestorage.com
http://dunamistrd.com
http://glcloudservice.com
http://journalide.org
http://msedgepackageinfo.com
http://msstorageazure.com
http://msstorageboxes.com
http://officeaddons.com
http://officestoragebox.com
http://pbxcloudeservices.com
http://pbxphonenetwork.com
http://pbxsources.com
http://qwepoi123098.com
http://raw.githubusercontent.com
http://sbmsa.wiki
http://sourceslabs.com
http://visualstudiofactory.com
http://zacharryblogs.com