Ironing out (the macOS details) of a Smooth Operator
Contents
As “Sharing is Caring” I’ve uploaded the malicious dynamic library libffmpeg.dylib to our public macOS malware collection. The password is: infect3d
Earlier today, several vendors uncovered a massive supply chain attack, spreading malware dubbed SmoothOperator:
Earlier today @CrowdStrike reported a supply chain attack targeting the 3CX Voice Over Internet Protocol (VOIP) Windows desktop client.— vx-underground (@vxunderground) March 30, 2023
- 600,000 companies use it
- 12,000,000 users
- @Sophos has identified a MacOS variant infected
- Currently attributed to Lazarus Group
For details on the supply chain attack, affecting 3CX, you can read the following:
“CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers”
“SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack”
“3CX users under DLL-sideloading attack: What you need to know”
While these analyses were a great start, they all were missing one very important piece! Details on the macoS infection and the specific malicious component(s).
Specifically, though the reports noted 3CX’s macOS application may have …
Earlier today, several vendors uncovered a massive supply chain attack, spreading malware dubbed SmoothOperator:
Earlier today @CrowdStrike reported a supply chain attack targeting the 3CX Voice Over Internet Protocol (VOIP) Windows desktop client.— vx-underground (@vxunderground) March 30, 2023
- 600,000 companies use it
- 12,000,000 users
- @Sophos has identified a MacOS variant infected
- Currently attributed to Lazarus Group
For details on the supply chain attack, affecting 3CX, you can read the following:
“CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers”
“SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack”
“3CX users under DLL-sideloading attack: What you need to know”
While these analyses were a great start, they all were missing one very important piece! Details on the macoS infection and the specific malicious component(s).
Specifically, though the reports noted 3CX’s macOS application may have …
IoC
3DC840D32CE86CEBF657B17CEF62814646BA8E98
769383fc65d1386dd141c960c9970114547da0c2
769383fc65d1386dd141c960c9970114547da0c2