lazarusholic

Everyday is lazarus.dayβ

Understanding the magnitude of the 3CXDesktopApp phenomenon

2023-03-31, Emanueledelucia
https://www.emanueledelucia.net/understanding-the-magnitude-of-the-3cxdesktopapp-phenomenon/
#SupplyChain #3CXDesktopApp #SmoothOperator

Contents

INTRODUCTION
On March 29, 2023, CrowdStrike posted a blog sharing details about a supply chain attack involving a software called 3CXDesktopApp. On the same day, SentinelOne also shared details in relation to the same event. 3CXDesktopApp is a multi-platform application for desktops (Linux, MacOS, and Windows) that allows users to interact via chat, messaging, video, and voice.
The 3CXDesktopApp supply-chain attack started when a threat actor (which CrowdStrike identified to have links with the Lazarus Group) was able to embed arbitrary code into the official build of the software causing individuals and organizations fall victims of a global-scale campaign by downloading and running the 3CXDesktopApp installer from the developer’s website. Both Microsoft Windows and MacOS users were targeted as both the Windows and Mac versions were compromised.
On a Windows system, the MSI installer (3CXDesktopApp-18.12.416.msi, 3CXDesktopApp-18.12.407.msi) is designed to extract several files and to execute the file 3CXDesktopApp.exe which in turn loads a …

IoC

27b134af30f4a86f177db2f2555fe01d
74bc2d0b6680faa1a5a76b27e5479cbc
http://akamaitechcloudservices.com
http://msstorageazure.com