lazarusholic

Everyday is lazarus.dayβ

Red flags flew over software supply chain-compromised 3CX update

2023-03-30, ReversingLabs
https://www.reversinglabs.com/blog/red-flags-fly-over-supply-chain-compromised-3cx-update
#SupplyChain #3CXDesktopApp #SmoothOperator

Contents

ReversingLabs is analyzing a supply chain compromise of the firm 3CX Ltd., a maker of enterprise voice over IP (VOIP) solutions. Beginning on March 22nd, 2023, compromised versions of the 3CXDesktopApp, a desktop client version of the company’s VoIP software, were found to contain malicious code.
While more time and effort will be needed to fully reconstruct and study this incident, our analysis of the malicious files used in the attack points strongly to a compromise of 3CX’s software build pipeline, resulting in modifications that inserted malicious code to the 3CXDesktopApp software package.
There are many possible explanations for how such a thing could happen. However, our analysts focused on investigating the two most likely scenarios: a compromise of the 3CX development pipeline that resulted in malicious code being added during the build, or the possibility of a malicious dependency being served by a package repository. The former is represented by the …

IoC

188754814b37927badc988b45b7c7f7d6b4c8dd3
19f4036f5cd91c5fc411afc4359e32f90caddaac
20d554a80d759c50d6537dd7097fed84dd258b3e
354251ca9476549c391fbd5b87e81a21a95949f4
3b88cda62cdd918b62ef5aa8c5a73a46f176d18b
3dc840d32ce86cebf657b17cef62814646ba8e98
5b0582632975d230c8f73c768b9ef39669fefa60
6285ffb5f98d35cd98e78d48b63a05af6e4e4dea
769383fc65d1386dd141c960c9970114547da0c2
8433a94aedb6380ac8d4610af643fb0e5220c5cb
8b81f6012fd748f0fed53eeef72164435ad618ac
b2a89eebb5be61939f5458a024c929b169b4dc85
bea77d1e59cf18dce22ad9a2fad52948fd7a9efa
bf939c9c261d27ee7bb92325cc588624fca75429
bfecb8ce89a312d2ef4afc64a63847ae11c6f69e
f7f1b34c2770d83e2250e19c8425a4bec56617fd
ff3dd457c0d00d00d396fdf6ebe7c254fed2a91e