SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack
Contents
|
|
By Juan Andres Guerrero-Saade, Asaf Gilboa, David Acs, James Haughom & SentinelLabs
Executive Summary
- As of Mar 22, 2023 SentinelOne began to see a spike in behavioral detections of the 3CXDesktopApp, a popular voice and video conferencing software product categorized as a Private Automatic Branch Exchange (PABX) platform.
- Behavioral detections prevented these trojanized installers from running and led to immediate default quarantine.
- The trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from Github and ultimately leads to a 3rd stage infostealer DLL still being analyzed as of the time of writing.
- At this time, we cannot confirm that the Mac installer is similarly trojanized. Our ongoing investigation includes additional applications like the Chrome extension that could also be used to stage attacks.
- The compromise includes a code signing certificate used to sign the trojanized binaries.
- Our investigation into the threat …
|
By Juan Andres Guerrero-Saade, Asaf Gilboa, David Acs, James Haughom & SentinelLabs
Executive Summary
- As of Mar 22, 2023 SentinelOne began to see a spike in behavioral detections of the 3CXDesktopApp, a popular voice and video conferencing software product categorized as a Private Automatic Branch Exchange (PABX) platform.
- Behavioral detections prevented these trojanized installers from running and led to immediate default quarantine.
- The trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from Github and ultimately leads to a 3rd stage infostealer DLL still being analyzed as of the time of writing.
- At this time, we cannot confirm that the Mac installer is similarly trojanized. Our ongoing investigation includes additional applications like the Chrome extension that could also be used to stage attacks.
- The compromise includes a code signing certificate used to sign the trojanized binaries.
- Our investigation into the threat …
IoC
20d554a80d759c50d6537dd7097fed84dd258b3e
bf939c9c261d27ee7bb92325cc588624fca75429
cad1120d91b812acafef7175f949dd1b09c6c21a
http://akamaicontainer.com
http://akamaitechcloudservices.com
http://azuredeploystore.com
http://azureonlinecloud.com
http://convieneonline.com
http://dunamistrd.com
http://github.com/IconStorages/images
http://glcloudservice.com
http://journalide.org
http://msedgepackageinfo.com
http://msstorageazure.com
http://msstorageboxes.com
http://officeaddons.com
http://officestoragebox.com
http://pbxcloudeservices.com
http://pbxphonenetwork.com
http://pbxsources.com
http://qwepoi123098.com
https://github.com/IconStorages/images
bf939c9c261d27ee7bb92325cc588624fca75429
cad1120d91b812acafef7175f949dd1b09c6c21a
http://akamaicontainer.com
http://akamaitechcloudservices.com
http://azuredeploystore.com
http://azureonlinecloud.com
http://convieneonline.com
http://dunamistrd.com
http://github.com/IconStorages/images
http://glcloudservice.com
http://journalide.org
http://msedgepackageinfo.com
http://msstorageazure.com
http://msstorageboxes.com
http://officeaddons.com
http://officestoragebox.com
http://pbxcloudeservices.com
http://pbxphonenetwork.com
http://pbxsources.com
http://qwepoi123098.com
https://github.com/IconStorages/images