3CX Desktop App targeted in supply chain attack
Researchers at cybersecurity firm Cyble have conducted a comprehensive analysis of the supply chain attack targeting customers of 3CX, a VoIP IPBX software development company.
The attack has been attributed to North Korean Threat Actors and involves a Trojanized version of the 3CX Voice Over Internet Protocol (VOIP) desktop client, which has been digitally signed.
The attack has been detected on both Windows and macOS operating systems, and the domains and web infrastructure utilized in the attacks were registered as early as November 2022.
Over 240,000 publicly exposed instances of the 3CX Phone Management System have been found.
Cyble warns that the potential damage caused by the attack could be significant.
MITRE ATT&CK® Techniques
| Tactic | Technique ID ** | Technique Name ** |
|---|---|---|
| Initial Access | T1195 | Supply Chain Compromise |
| Execution | T1204.002 | User Execution: Malicious File |
| Defense Evasion | T1140T1027T1574.002 T1497.003 | Deobfuscate/Decode Files or InformationObfuscated Files or InformationHijack Execution Flow: DLL Side-Loading Virtualization/Sandbox Evasion: Time-Based Evasion |
| Credential Access ** | T1555T1539 | Credentials from Password Stores Steal Web Session Cookie |
| Command and Control | T1071 | Application Layer Protocol |
Indicators of Compromise
| Indicators | Indicator Type | Description |
|---|---|---|
| f3d4144860ca10ba60f7ef4d176cc736bea77d1e59cf18dce22ad9a2fad52948fd7a9efaaa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868 | MD5SHA1SHA256 | 3CX Windows Installer |
| 0eeb1c0133eb4d571178b2d9d14ce3e9bfecb8ce89a312d2ef4afc64a63847ae11c6f69e59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983 | MD5SHA1SHA256 | 3CX Windows Installer |
| 5729fb29e3a7a90d2528e3357bd15a4b19f4036f5cd91c5fc411afc4359e32f90caddaac5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290 | MD5SHA1SHA256 | 3CX macOS Installer File |
| d5101c3b86d973a848ab7ed79cd11e5a3dc840d32ce86cebf657b17cef62814646ba8e98e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec | MD5SHA1SHA256 | 3CX macOS Installer File |
| 82187ad3f0c6c225e2fba0c867280cc920d554a80d759c50d6537dd7097fed84dd258b3e11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03 | MD5SHA1SHA256 | Malicious DLL |
| 74bc2d0b6680faa1a5a76b27e5479cbcbf939c9c261d27ee7bb92325cc588624fca754297986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896 | MD5SHA1SHA256 | Malicious DLL |
| cad1120d91b812acafef7175f949dd1b09c6c21a | SHA1 | Stealer Payload |
| akamaicontainer[.]com akamaitechcloudservices[.]com azuredeploystore[.]comazureonlinecloud[.]com azureonlinestorage[.]com dunamistrd[.]com glcloudservice[.]com journalide[.]org msedgepackageinfo[.]com msstorageazure[.]com msstorageboxes[.]com officeaddons[.]com officestoragebox[.]com pbxcloudeservices[.]com pbxphonenetwork[.]com pbxsources[.]com qwepoi123098[.]com sbmsa[.]wikisourceslabs[.]com visualstudiofactory[.]com zacharryblogs[.]com github[.]com/IconStorages/imagesazureonlinestorage.com convieneonline[.]com Soyoungjun[.]com | URL | Malicious URL |
| 3bb80e9fbeac5383b313084775c80d119c943baad621654cc0a0495262b6175276a0a9fb210c9882eba94198274ebc787fe8c88311af24932832a7fe1f1ca0261f815c3d | MD5SHA1SHA256 | Malicious ICO File |
| 644f63f869e2b0a9e5d1aa32823956cc96910a3dbc194a7bf9a452afe8a35eceb904b6e4a541e5fc421c358e0a2b07bf4771e897fb5a617998aa4876e0e1baa5fbb8e25c | MD5SHA1SHA256 | Malicious ICO File |
| 8875568b90bb03ff54d63d3bd11870630d890267ec8d6d2aaf43eaca727c1fbba6acd16ed459aa0a63140ccc647e9026bfd1fccd4c310c262a88896c57bbe3b6456bd090 | MD5SHA1SHA256 | Malicious ICO File |
| 1640f48cc05c58f4cc077503a5361ceab1dee3ebcffad01a51ff31ff495fef1d40fdfaa0d51a790d187439ce030cf763237e992e9196e9aa41797a94956681b6279d1b9a | MD5SHA1SHA256 | Malicious ICO File |
| 71d5b9bfd6bf37ff5aa9752b2b6d5af164ab912d0af35c01355430d85dd4181f25e888384e08e4ffc699e0a1de4a5225a0b4920933fbb9cf123cde33e1674fde6d61444f | MD5 SHA1 SHA256 | Malicious ICO File |
| da667174c2d145a4d9b3b39387fbd7dd8377fb40c76aa3ba3efae3d284fa51aa7748e0108c0b7d90f14c55d4f1d0f17e0242efd78fd4ed0c344ac6469611ec72defa6b2d | MD5SHA1SHA256 | Malicious ICO File |
| 69455ba3bfd2d8e3ade508136893494511ae67704ea0b930b2cc966e6d07f8b898f1a7d2f47c883f59a4802514c57680de3f41f690871e26f250c6e890651ba71027e4d3 | MD5SHA1SHA256 | Malicious ICO File |
| 848bc8e5917db1f735029fc51952002dffccc3a29d1582989430e9b6c6d2bff1e3a3bb142c9957ea04d033d68b769f333a48e228c32bcf26bd98e51310efd48e80c1789f | MD5SHA1SHA256 | Malicious ICO File |
| aafa584176d9aec7912b4bc3476acc1a89827af650640c7042077be64dc643230d1f7482268d4e399dbbb42ee1cd64d0da72c57214ac987efbb509c46cc57ea6b214beca | MD5SHA1SHA256 | Malicious ICO File |
| 4d112603466ac9c57a669445374c1fb5b5de30a83084d6f27d902b96dd12e15c77d1f90bc62dce8a77d777774e059cf1720d77c47b97d97c3b0cf43ade5d96bf724639bd | MD5SHA1SHA256 | Malicious ICO File |
| d232fa2eabc03123517a78936a18448b3992dbe9e0b23e0d4ca487faffeb004bcfe9ecc8c13d49ed325dec9551906bafb6de9ec947e5ff936e7e40877feb2ba4bb176396 | MD5SHA1SHA256 | Malicious ICO File |
| aff5911f6c211cde147a0d6aa3a7a423caa77bcd0a1a6629ba1f3ce8d1fc5451d83d0352f1bf4078141d7ccb4f82e3f4f1c3571ee6dd79b5335eb0e0464f877e6e6e3182 | MD5SHA1SHA256 | Malicious ICO File |
| 4942dc3c0e9808544b068854cf1351e057a9f3d5d1592a0769886493f566930d8f32a0fc2487b4e3c950d56fb15316245b3c51fbd70717838f6f82f32db2efcc4d9da6de | MD5SHA1SHA256 | Malicious ICO File |
| 3eb70db2f6bffbe29970f759747e07bdf533bea1c0558f73f6a3930343c16945fb75b20fe059c8c8b01d6f3af32257fc2b6fe188d5f4359c308b3684b1e0db2071c3425c | MD5SHA1SHA256 | Malicious ICO File |
| 14b79d2f81d1c0a9c3769f7bb83e443d31d775ab577f3cc88991d90e9ae58501dbe1f0dad0f1984b4fe896d0024533510ce22d71e05b20bad74d53fae158dc752a65782e | MD5SHA1SHA256 | Malicious ICO File |