Backdoored 3CXDesktopApp Installer Used in Active Threat Campaign
Contents
Last updated at Fri, 31 Mar 2023 00:19:40 GMT
Emergent threats evolve quickly. We will update this blog with new information as it comes to light and we are able to verify it. Erick Galinkin, Ted Samuels, Zach Dayton, Eoin Miller, Caitlin Condon, Stephen Fewer, Spencer McIntyre, and Christiaan Beek all contributed to this blog.
On Wednesday, March 29, 2023, multiple security firms issued warnings about malicious activity coming from a legitimate, signed binary from communications technology company 3CX. The binary, 3CXDesktopApp, is popular video-conferencing software available for download on all major platforms. Several analyses have attributed the threat campaign to state-sponsored threat actors, and security firms have observed malicious activity in both Windows and Mac environments.
Rapid7’s threat research teams analyzed the 3CXDesktopApp Windows binary and confirmed that the 3CX MSI installer drops the following files:
3CXDesktopApp.exe, a benign file that loads the backdoored
ffmpeg.dll, which reads an RC4-encrypted blob after the hexadecimal demarcation …
Emergent threats evolve quickly. We will update this blog with new information as it comes to light and we are able to verify it. Erick Galinkin, Ted Samuels, Zach Dayton, Eoin Miller, Caitlin Condon, Stephen Fewer, Spencer McIntyre, and Christiaan Beek all contributed to this blog.
On Wednesday, March 29, 2023, multiple security firms issued warnings about malicious activity coming from a legitimate, signed binary from communications technology company 3CX. The binary, 3CXDesktopApp, is popular video-conferencing software available for download on all major platforms. Several analyses have attributed the threat campaign to state-sponsored threat actors, and security firms have observed malicious activity in both Windows and Mac environments.
Rapid7’s threat research teams analyzed the 3CXDesktopApp Windows binary and confirmed that the 3CX MSI installer drops the following files:
3CXDesktopApp.exe, a benign file that loads the backdoored
ffmpeg.dll, which reads an RC4-encrypted blob after the hexadecimal demarcation …
IoC
11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03
7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61
aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868
b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb
dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc
fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405
http://Soyoungjun.com
http://akamaicontainer.com
http://akamaitechcloudservices.com
http://azuredeploystore.com
http://azureonlinecloud.com
http://azureonlinestorage.com
http://convieneonline.com
http://dunamistrd.com
http://glcloudservice.com
http://journalide.org
http://msedgepackageinfo.com
http://msstorageazure.com
http://msstorageboxes.com
http://officeaddons.com
http://officestoragebox.com
http://pbxcloudeservices.com
http://pbxphonenetwork.com
http://pbxsources.com
http://qwepoi123098.com
http://sbmsa.wiki
http://sourceslabs.com
http://visualstudiofactory.com
http://zacharryblogs.com
7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61
aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868
b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb
dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc
fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405
http://Soyoungjun.com
http://akamaicontainer.com
http://akamaitechcloudservices.com
http://azuredeploystore.com
http://azureonlinecloud.com
http://azureonlinestorage.com
http://convieneonline.com
http://dunamistrd.com
http://glcloudservice.com
http://journalide.org
http://msedgepackageinfo.com
http://msstorageazure.com
http://msstorageboxes.com
http://officeaddons.com
http://officestoragebox.com
http://pbxcloudeservices.com
http://pbxphonenetwork.com
http://pbxsources.com
http://qwepoi123098.com
http://sbmsa.wiki
http://sourceslabs.com
http://visualstudiofactory.com
http://zacharryblogs.com