Researchers at cybersecurity firm Cyble have conducted a comprehensive analysis of the supply chain attack targeting customers of 3CX, a VoIP IPBX software development company.

Figure-3-–-Infection-chain.jpg

The attack has been attributed to North Korean Threat Actors and involves a Trojanized version of the 3CX Voice Over Internet Protocol (VOIP) desktop client, which has been digitally signed.

The attack has been detected on both Windows and macOS operating systems, and the domains and web infrastructure utilized in the attacks were registered as early as November 2022.

Over 240,000 publicly exposed instances of the 3CX Phone Management System have been found.

Figure-1-Exposed-Instances.png

Cyble warns that the potential damage caused by the attack could be significant.


MITRE ATT&CK® Techniques


Tactic Technique ID** Technique Name**
Initial Access T1195 Supply Chain Compromise
Execution T1204.002 User Execution: Malicious File
Defense Evasion T1140T1027T1574.002 T1497.003 Deobfuscate/Decode Files or InformationObfuscated Files or InformationHijack Execution Flow: DLL Side-Loading Virtualization/Sandbox Evasion: Time-Based Evasion
Credential Access** T1555T1539 Credentials from Password Stores  Steal Web Session Cookie
Command and Control T1071 Application Layer Protocol

Indicators of Compromise

Indicators Indicator Type Description
f3d4144860ca10ba60f7ef4d176cc736bea77d1e59cf18dce22ad9a2fad52948fd7a9efaaa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868 MD5SHA1SHA256 3CX Windows Installer
0eeb1c0133eb4d571178b2d9d14ce3e9bfecb8ce89a312d2ef4afc64a63847ae11c6f69e59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983 MD5SHA1SHA256 3CX Windows Installer
5729fb29e3a7a90d2528e3357bd15a4b19f4036f5cd91c5fc411afc4359e32f90caddaac5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290 MD5SHA1SHA256 3CX macOS Installer File
d5101c3b86d973a848ab7ed79cd11e5a3dc840d32ce86cebf657b17cef62814646ba8e98e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec MD5SHA1SHA256 3CX macOS Installer File
82187ad3f0c6c225e2fba0c867280cc920d554a80d759c50d6537dd7097fed84dd258b3e11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03 MD5SHA1SHA256 Malicious DLL
74bc2d0b6680faa1a5a76b27e5479cbcbf939c9c261d27ee7bb92325cc588624fca754297986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896 MD5SHA1SHA256 Malicious DLL
cad1120d91b812acafef7175f949dd1b09c6c21a SHA1 Stealer Payload
akamaicontainer[.]com akamaitechcloudservices[.]com azuredeploystore[.]comazureonlinecloud[.]com azureonlinestorage[.]com dunamistrd[.]com glcloudservice[.]com journalide[.]org msedgepackageinfo[.]com msstorageazure[.]com msstorageboxes[.]com officeaddons[.]com officestoragebox[.]com pbxcloudeservices[.]com pbxphonenetwork[.]com pbxsources[.]com qwepoi123098[.]com sbmsa[.]wikisourceslabs[.]com visualstudiofactory[.]com zacharryblogs[.]com github[.]com/IconStorages/imagesazureonlinestorage.com convieneonline[.]com Soyoungjun[.]com URL Malicious URL
3bb80e9fbeac5383b313084775c80d119c943baad621654cc0a0495262b6175276a0a9fb210c9882eba94198274ebc787fe8c88311af24932832a7fe1f1ca0261f815c3d MD5SHA1SHA256 Malicious ICO File
644f63f869e2b0a9e5d1aa32823956cc96910a3dbc194a7bf9a452afe8a35eceb904b6e4a541e5fc421c358e0a2b07bf4771e897fb5a617998aa4876e0e1baa5fbb8e25c MD5SHA1SHA256 Malicious ICO File
8875568b90bb03ff54d63d3bd11870630d890267ec8d6d2aaf43eaca727c1fbba6acd16ed459aa0a63140ccc647e9026bfd1fccd4c310c262a88896c57bbe3b6456bd090 MD5SHA1SHA256 Malicious ICO File
1640f48cc05c58f4cc077503a5361ceab1dee3ebcffad01a51ff31ff495fef1d40fdfaa0d51a790d187439ce030cf763237e992e9196e9aa41797a94956681b6279d1b9a MD5SHA1SHA256 Malicious ICO File
71d5b9bfd6bf37ff5aa9752b2b6d5af164ab912d0af35c01355430d85dd4181f25e888384e08e4ffc699e0a1de4a5225a0b4920933fbb9cf123cde33e1674fde6d61444f MD5 SHA1 SHA256 Malicious ICO File
da667174c2d145a4d9b3b39387fbd7dd8377fb40c76aa3ba3efae3d284fa51aa7748e0108c0b7d90f14c55d4f1d0f17e0242efd78fd4ed0c344ac6469611ec72defa6b2d MD5SHA1SHA256 Malicious ICO File
69455ba3bfd2d8e3ade508136893494511ae67704ea0b930b2cc966e6d07f8b898f1a7d2f47c883f59a4802514c57680de3f41f690871e26f250c6e890651ba71027e4d3 MD5SHA1SHA256 Malicious ICO File
848bc8e5917db1f735029fc51952002dffccc3a29d1582989430e9b6c6d2bff1e3a3bb142c9957ea04d033d68b769f333a48e228c32bcf26bd98e51310efd48e80c1789f MD5SHA1SHA256 Malicious ICO File
aafa584176d9aec7912b4bc3476acc1a89827af650640c7042077be64dc643230d1f7482268d4e399dbbb42ee1cd64d0da72c57214ac987efbb509c46cc57ea6b214beca MD5SHA1SHA256 Malicious ICO File
4d112603466ac9c57a669445374c1fb5b5de30a83084d6f27d902b96dd12e15c77d1f90bc62dce8a77d777774e059cf1720d77c47b97d97c3b0cf43ade5d96bf724639bd MD5SHA1SHA256 Malicious ICO File
d232fa2eabc03123517a78936a18448b3992dbe9e0b23e0d4ca487faffeb004bcfe9ecc8c13d49ed325dec9551906bafb6de9ec947e5ff936e7e40877feb2ba4bb176396 MD5SHA1SHA256 Malicious ICO File
aff5911f6c211cde147a0d6aa3a7a423caa77bcd0a1a6629ba1f3ce8d1fc5451d83d0352f1bf4078141d7ccb4f82e3f4f1c3571ee6dd79b5335eb0e0464f877e6e6e3182 MD5SHA1SHA256 Malicious ICO File
4942dc3c0e9808544b068854cf1351e057a9f3d5d1592a0769886493f566930d8f32a0fc2487b4e3c950d56fb15316245b3c51fbd70717838f6f82f32db2efcc4d9da6de MD5SHA1SHA256 Malicious ICO File
3eb70db2f6bffbe29970f759747e07bdf533bea1c0558f73f6a3930343c16945fb75b20fe059c8c8b01d6f3af32257fc2b6fe188d5f4359c308b3684b1e0db2071c3425c MD5SHA1SHA256 Malicious ICO File
14b79d2f81d1c0a9c3769f7bb83e443d31d775ab577f3cc88991d90e9ae58501dbe1f0dad0f1984b4fe896d0024533510ce22d71e05b20bad74d53fae158dc752a65782e MD5SHA1SHA256 Malicious ICO File