lazarusholic

Everyday is lazarus.dayβ

SmoothOperator Campaign Trojanizes 3CXDesktopApp

2023-04-03, HivePro
https://www.hivepro.com/wp-content/uploads/2023/04/SmoothOperator-Campaign-Trojanizes-3CXDesktopApp_TA2023167.pdf
SmoothOperator-Campaign-Trojanizes-3CXDesktopApp_TA2023167.pdf, 1.6 MB
#SupplyChain #3CXDesktopApp #SmoothOperator

Contents

THREAT ADVISORY
ATTACK REPORT

Date of Publication

March 31, 2023

Admiralty Code

A1

TA Number

TA2023167


Summary
Attack began: March 22, 2023
Actor: LABYRINTH CHOLLIMA (aka HIDDEN COBRA, Guardians of Peace, ZINC, NICKEL
ACADEMY, Lazarus Group)
Malware: ICONIC Stealer or SUDDENICON
Attack Region: Worldwide
Targeted Industries: Automotive, Food & Beverage, Hospitality, Managed Information
Technology Service Provider (MSP), Manufacturing
Attack: The 3CX desktop app trojanized via a multi-stage supply attack chain in the
SmoothOperator campaign.

Attack Regions

CVEs
CVE

CVE-202329059

NAME

AFFECTED PRODUCT

Arbitrary code
execution in
3CXDesktopApp

3CX DesktopApp for
Windows Versions:
18.12.407, 18.12.416 &
3CX DesktopApp for
macOS Versions:
18.11.1213

THREAT ADVISORY • ATTACK REPORT (Red)

CISA KEV

PATCH

2

|


Attack Details
#1

#2

The SmoothOperator campaign conducted a supply chain attack targeting
downstream customers via rigged installers of a popular conferencing
software. The first stage uses a trojanized 3CXDesktopApp, followed by ICO
files pulled from Github, ultimately leading to an infostealer dubbed ICONIC
Stealer aka SUDDENICONDLL. 3CXDesktopApp is compromised and actively
exploited with embedded malicious code (CVE-2023-29059).

The malevolent DLL, which has been sideloaded, includes instructions and a
payload encrypted within another DLL using a blob. The shellcode is also
present in this blob, …

IoC

20d554a80d759c50d6537dd7097fed84dd258b3e
3dc840d32ce86cebf657b17cef62814646ba8e98
769383fc65d1386dd141c960c9970114547da0c2
9e9a5f8d86356796162cee881c843cde9eaedfb3
bf939c9c261d27ee7bb92325cc588624fca75429
cad1120d91b812acafef7175f949dd1b09c6c21a
http://github.com/IconStorages/images
http://https://akamaitechcloudservices.com/v2/storage
http://https://azuredeploystore.com/cloud/services
http://https://azureonlinestorage.com/azure/storage
http://https://glcloudservice.com/v1/console
http://https://msedgepackageinfo.com/microsoft-edge
http://https://msedgeupdate.net/Windows
http://https://msstorageazure.com/window
http://https://msstorageboxes.com/office
http://https://officeaddons.com/technologies
http://https://officestoragebox.com/api/session
http://https://pbxcloudeservices.com/phonesystem
http://https://pbxphonenetwork.com/voip
http://https://pbxsources.com/exchange
http://https://sbmsa.wiki/blog/_insert
http://https://sourceslabs.com/downloads
http://https://visualstudiofactory.com/workload
http://https://www.3cx.com/blog/event-trainings/
http://https://zacharryblogs.com/feed