Everyday is lazarus.dayβ

SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack

2023-03-29, SentinelOne
#SupplyChain #3CXDesktopApp #SmoothOperator


By Juan Andres Guerrero-Saade, Asaf Gilboa, David Acs, James Haughom & SentinelLabs
Executive Summary
- As of Mar 22, 2023 SentinelOne began to see a spike in behavioral detections of the 3CXDesktopApp, a popular voice and video conferencing software product categorized as a Private Automatic Branch Exchange (PABX) platform.
- Behavioral detections prevented these trojanized installers from running and led to immediate default quarantine.
- The trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from Github and ultimately leads to a 3rd stage infostealer DLL still being analyzed as of the time of writing.
- At this time, we cannot confirm that the Mac installer is similarly trojanized. Our ongoing investigation includes additional applications like the Chrome extension that could also be used to stage attacks.
- The compromise includes a code signing certificate used to sign the trojanized binaries.
- Our investigation into the threat …