Everyday is lazarus.dayβ

Ironing out (the macOS details) of a Smooth Operator

2023-03-29, Objective-see
#SupplyChain #3CXDesktopApp #SmoothOperator #macOS


As “Sharing is Caring” I’ve uploaded the malicious dynamic library libffmpeg.dylib to our public macOS malware collection. The password is: infect3d
Earlier today, several vendors uncovered a massive supply chain attack, spreading malware dubbed SmoothOperator:
Earlier today @CrowdStrike reported a supply chain attack targeting the 3CX Voice Over Internet Protocol (VOIP) Windows desktop client.— vx-underground (@vxunderground) March 30, 2023
- 600,000 companies use it
- 12,000,000 users
- @Sophos has identified a MacOS variant infected
- Currently attributed to Lazarus Group
For details on the supply chain attack, affecting 3CX, you can read the following:
“CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers”
“SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack”
“3CX users under DLL-sideloading attack: What you need to know”
While these analyses were a great start, they all were missing one very important piece! Details on the macoS infection and the specific malicious component(s).
Specifically, though the reports noted 3CX’s macOS application may have …