lazarusholic

Everyday is lazarus.dayβ

Threat Brief: 3CXDesktopApp Supply Chain Attack

2023-03-30, PaloaltoNetworks
https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/
#SupplyChain #3CXDesktopApp #SmoothOperator

Contents

Executive Summary
On March 29, 2023, CrowdStrike released a blog discussing a supply chain attack involving a software-based phone application called 3CXDesktopApp. As of March 30, the 3CXDesktopApp installer hosted on the developer’s website will install the application with two malicious libraries included. The malicious libraries will ultimately run shellcode to load a backdoor on the system that allows actors to install additional malware on the victim machine.
At this time, we cannot determine exactly how these malicious libraries were included in the 3CXDesktopApp installer. We speculate that threat actors might have introduced these malicious libraries during the build process of the 3CXDesktopApp application. Because malicious content was added to this legitimate application in order to compromise the users of 3CXDesktopApp, it could suggest that this is intended to be a supply chain attack.
3CX products are widely used across the globe. Our Cortex Xpanse product was able to fingerprint 247,277 distinct IP …

IoC

11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03
2487b4e3c950d56fb15316245b3c51fbd70717838f6f82f32db2efcc4d9da6de
268d4e399dbbb42ee1cd64d0da72c57214ac987efbb509c46cc57ea6b214beca
2c9957ea04d033d68b769f333a48e228c32bcf26bd98e51310efd48e80c1789f
4e08e4ffc699e0a1de4a5225a0b4920933fbb9cf123cde33e1674fde6d61444f
5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290
59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983
7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
7c55c3dfa373b6b342390938029cb76ef31f609d9a07780772c6010a4297e321
8c0b7d90f14c55d4f1d0f17e0242efd78fd4ed0c344ac6469611ec72defa6b2d
a541e5fc421c358e0a2b07bf4771e897fb5a617998aa4876e0e1baa5fbb8e25c
a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67
aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868
aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973
c13d49ed325dec9551906bafb6de9ec947e5ff936e7e40877feb2ba4bb176396
c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02
c62dce8a77d777774e059cf1720d77c47b97d97c3b0cf43ade5d96bf724639bd
d0f1984b4fe896d0024533510ce22d71e05b20bad74d53fae158dc752a65782e
d459aa0a63140ccc647e9026bfd1fccd4c310c262a88896c57bbe3b6456bd090
d51a790d187439ce030cf763237e992e9196e9aa41797a94956681b6279d1b9a
e059c8c8b01d6f3af32257fc2b6fe188d5f4359c308b3684b1e0db2071c3425c
e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec
f1bf4078141d7ccb4f82e3f4f1c3571ee6dd79b5335eb0e0464f877e6e6e3182
f47c883f59a4802514c57680de3f41f690871e26f250c6e890651ba71027e4d3
fee4f9dabc094df24d83ec1a8c4e4ff573e5d9973caa676f58086c99561382d7
http://akamaitechcloudservices.com
http://akamaitechcloudservices.com/v2/fileapi
http://akamaitechcloudservices.com/v2/storage
http://azuredeploystore.com
http://azuredeploystore.com/cloud/images
http://azuredeploystore.com/cloud/services
http://azureonlinestorage.com
http://azureonlinestorage.com/azure/storage
http://azureonlinestorage.com/google/storage
http://glcloudservice.com
http://glcloudservice.com/v1/console
http://glcloudservice.com/v1/status
http://msedgepackageinfo.com
http://msedgepackageinfo.com/microsoft-edge
http://msedgepackageinfo.com/ms-webview
http://msstorageazure.com
http://msstorageazure.com/analysis
http://msstorageazure.com/window
http://msstorageboxes.com
http://msstorageboxes.com/office
http://msstorageboxes.com/xbox
http://officeaddons.com
http://officeaddons.com/quality
http://officeaddons.com/technologies
http://officestoragebox.com
http://officestoragebox.com/api/biosync
http://officestoragebox.com/api/session
http://pbxcloudeservices.com
http://pbxcloudeservices.com/network
http://pbxcloudeservices.com/phonesystem
http://pbxphonenetwork.com
http://pbxphonenetwork.com/phone
http://pbxsources.com
http://pbxsources.com/exchange
http://pbxsources.com/queue
http://sourceslabs.com
http://sourceslabs.com/downloads
http://sourceslabs.com/status
http://visualstudiofactory.com
http://visualstudiofactory.com/groupcore
http://visualstudiofactory.com/workload
http://www.3cx.com
http://www.3cx.com/blog/event-trainings/
http://zacharryblogs.com
http://zacharryblogs.com/feed
http://zacharryblogs.com/xmlquery
https://akamaitechcloudservices.com/v2/storage
https://azuredeploystore.com/cloud/services
https://azureonlinestorage.com/azure/storage
https://glcloudservice.com/v1/console
https://msedgepackageinfo.com/microsoft-edge
https://msstorageazure.com/window
https://msstorageboxes.com/office
https://officeaddons.com/technologies
https://officestoragebox.com/api/session
https://pbxcloudeservices.com/phonesystem
https://pbxsources.com/exchange
https://raw.githubusercontent.com/IconStorages/images/main/icon[1-15].ico
https://sourceslabs.com/downloads
https://visualstudiofactory.com/workload
https://zacharryblogs.com/feed