SmoothOperator Campaign Trojanizes 3CXDesktopApp
Contents
THREAT ADVISORY
ATTACK REPORT
Date of Publication
March 31, 2023
Admiralty Code
A1
TA Number
TA2023167
Summary
Attack began: March 22, 2023
Actor: LABYRINTH CHOLLIMA (aka HIDDEN COBRA, Guardians of Peace, ZINC, NICKEL
ACADEMY, Lazarus Group)
Malware: ICONIC Stealer or SUDDENICON
Attack Region: Worldwide
Targeted Industries: Automotive, Food & Beverage, Hospitality, Managed Information
Technology Service Provider (MSP), Manufacturing
Attack: The 3CX desktop app trojanized via a multi-stage supply attack chain in the
SmoothOperator campaign.
Attack Regions
CVEs
CVE
CVE-202329059
NAME
AFFECTED PRODUCT
Arbitrary code
execution in
3CXDesktopApp
3CX DesktopApp for
Windows Versions:
18.12.407, 18.12.416 &
3CX DesktopApp for
macOS Versions:
18.11.1213
THREAT ADVISORY • ATTACK REPORT (Red)
CISA KEV
PATCH
2
|
Attack Details
#1
#2
The SmoothOperator campaign conducted a supply chain attack targeting
downstream customers via rigged installers of a popular conferencing
software. The first stage uses a trojanized 3CXDesktopApp, followed by ICO
files pulled from Github, ultimately leading to an infostealer dubbed ICONIC
Stealer aka SUDDENICONDLL. 3CXDesktopApp is compromised and actively
exploited with embedded malicious code (CVE-2023-29059).
The malevolent DLL, which has been sideloaded, includes instructions and a
payload encrypted within another DLL using a blob. The shellcode is also
present in this blob, …
ATTACK REPORT
Date of Publication
March 31, 2023
Admiralty Code
A1
TA Number
TA2023167
Summary
Attack began: March 22, 2023
Actor: LABYRINTH CHOLLIMA (aka HIDDEN COBRA, Guardians of Peace, ZINC, NICKEL
ACADEMY, Lazarus Group)
Malware: ICONIC Stealer or SUDDENICON
Attack Region: Worldwide
Targeted Industries: Automotive, Food & Beverage, Hospitality, Managed Information
Technology Service Provider (MSP), Manufacturing
Attack: The 3CX desktop app trojanized via a multi-stage supply attack chain in the
SmoothOperator campaign.
Attack Regions
CVEs
CVE
CVE-202329059
NAME
AFFECTED PRODUCT
Arbitrary code
execution in
3CXDesktopApp
3CX DesktopApp for
Windows Versions:
18.12.407, 18.12.416 &
3CX DesktopApp for
macOS Versions:
18.11.1213
THREAT ADVISORY • ATTACK REPORT (Red)
CISA KEV
PATCH
2
|
Attack Details
#1
#2
The SmoothOperator campaign conducted a supply chain attack targeting
downstream customers via rigged installers of a popular conferencing
software. The first stage uses a trojanized 3CXDesktopApp, followed by ICO
files pulled from Github, ultimately leading to an infostealer dubbed ICONIC
Stealer aka SUDDENICONDLL. 3CXDesktopApp is compromised and actively
exploited with embedded malicious code (CVE-2023-29059).
The malevolent DLL, which has been sideloaded, includes instructions and a
payload encrypted within another DLL using a blob. The shellcode is also
present in this blob, …
IoC
20d554a80d759c50d6537dd7097fed84dd258b3e
3dc840d32ce86cebf657b17cef62814646ba8e98
769383fc65d1386dd141c960c9970114547da0c2
9e9a5f8d86356796162cee881c843cde9eaedfb3
bf939c9c261d27ee7bb92325cc588624fca75429
cad1120d91b812acafef7175f949dd1b09c6c21a
http://github.com/IconStorages/images
http://https://akamaitechcloudservices.com/v2/storage
http://https://azuredeploystore.com/cloud/services
http://https://azureonlinestorage.com/azure/storage
http://https://glcloudservice.com/v1/console
http://https://msedgepackageinfo.com/microsoft-edge
http://https://msedgeupdate.net/Windows
http://https://msstorageazure.com/window
http://https://msstorageboxes.com/office
http://https://officeaddons.com/technologies
http://https://officestoragebox.com/api/session
http://https://pbxcloudeservices.com/phonesystem
http://https://pbxphonenetwork.com/voip
http://https://pbxsources.com/exchange
http://https://sbmsa.wiki/blog/_insert
http://https://sourceslabs.com/downloads
http://https://visualstudiofactory.com/workload
http://https://www.3cx.com/blog/event-trainings/
http://https://zacharryblogs.com/feed
3dc840d32ce86cebf657b17cef62814646ba8e98
769383fc65d1386dd141c960c9970114547da0c2
9e9a5f8d86356796162cee881c843cde9eaedfb3
bf939c9c261d27ee7bb92325cc588624fca75429
cad1120d91b812acafef7175f949dd1b09c6c21a
http://github.com/IconStorages/images
http://https://akamaitechcloudservices.com/v2/storage
http://https://azuredeploystore.com/cloud/services
http://https://azureonlinestorage.com/azure/storage
http://https://glcloudservice.com/v1/console
http://https://msedgepackageinfo.com/microsoft-edge
http://https://msedgeupdate.net/Windows
http://https://msstorageazure.com/window
http://https://msstorageboxes.com/office
http://https://officeaddons.com/technologies
http://https://officestoragebox.com/api/session
http://https://pbxcloudeservices.com/phonesystem
http://https://pbxphonenetwork.com/voip
http://https://pbxsources.com/exchange
http://https://sbmsa.wiki/blog/_insert
http://https://sourceslabs.com/downloads
http://https://visualstudiofactory.com/workload
http://https://www.3cx.com/blog/event-trainings/
http://https://zacharryblogs.com/feed