🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
On 29th March, 2023 there were reports of malicious activity originating from a signed 3CX desktop application. CrowdStrike’s Falcon Overwatch has claimed to have observed malicious activities from both Windows and macOS binaries.
2023 was marked by a rise in supply chain attacks. Ensure robust protection across your software supply chain with CloudSEK SVigil.
Schedule a DemoOn 29th March, 2023 there were reports of malicious activity originating from a signed 3CX desktop application. CrowdStrike’s Falcon Overwatch has claimed to have observed malicious activities from both Windows and macOS binaries.
The product is a softphone application that allows you to make and receive calls on your physical desktop. The application is currently available for all major operating systems including Windows, Linux, and macOS. 3CX claims to have more than 600,000 customers globally hence this campaign can have devastating effects.
The currently known affected versions of the Electron application are:
According to the known evidence, we can assume that the active exploitation of the trojanized Electron application started after 3rd March 2023. The repository used to host the multi-stage payload was in use since 8th December 2022. The alerts were flagged as false positives and the support staff from 3CX asked the users to remove EDR solutions as a solution.
The following have been identified as key components of the malicious binary:
The file ffmpeg.dll contains an embedded URL that retrieves a malicious encoded .ico payload. The ICO file has the Base64 payload at the end. That data post-decoding is used to download another stage in some cases. The DLL downloaded seems to be an unknown information stealer meant to interface and exfiltrate saved browser data.
At the time of writing this, some YARA rules can be used for Threat Hunting. All the other YARA rules are mentioned in the reference section.
For SentinelOne, Crowdstrike, and Sophos MDR/EDR users, there are specific OS queries that are mentioned in their advisories (mentioned in the Reference section).
All the above-mentioned domains have been blocked as of 30th March 2023. We can also observe that these domains have been recently registered. Namecheap is a threat actor favorite because of the BTC payment options provided. Amongst the above-mentioned domains, we were able to find some interesting emails in the WHOIS information.
The repository hosting the information stealer malware since 8th December
Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.
Let us understand what the Digital Personal Data Protection Act (DPDP) means for businesses and how CloudSEK can help.
CVE 2023-20887 was discovered in the VMware Aria Operations with a CVSS score of 9.8 which leads to VMware Aria.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
6
min read
On 29th March, 2023 there were reports of malicious activity originating from a signed 3CX desktop application. CrowdStrike’s Falcon Overwatch has claimed to have observed malicious activities from both Windows and macOS binaries.
On 29th March, 2023 there were reports of malicious activity originating from a signed 3CX desktop application. CrowdStrike’s Falcon Overwatch has claimed to have observed malicious activities from both Windows and macOS binaries.
The product is a softphone application that allows you to make and receive calls on your physical desktop. The application is currently available for all major operating systems including Windows, Linux, and macOS. 3CX claims to have more than 600,000 customers globally hence this campaign can have devastating effects.
The currently known affected versions of the Electron application are:
According to the known evidence, we can assume that the active exploitation of the trojanized Electron application started after 3rd March 2023. The repository used to host the multi-stage payload was in use since 8th December 2022. The alerts were flagged as false positives and the support staff from 3CX asked the users to remove EDR solutions as a solution.
The following have been identified as key components of the malicious binary:
The file ffmpeg.dll contains an embedded URL that retrieves a malicious encoded .ico payload. The ICO file has the Base64 payload at the end. That data post-decoding is used to download another stage in some cases. The DLL downloaded seems to be an unknown information stealer meant to interface and exfiltrate saved browser data.
At the time of writing this, some YARA rules can be used for Threat Hunting. All the other YARA rules are mentioned in the reference section.
For SentinelOne, Crowdstrike, and Sophos MDR/EDR users, there are specific OS queries that are mentioned in their advisories (mentioned in the Reference section).
All the above-mentioned domains have been blocked as of 30th March 2023. We can also observe that these domains have been recently registered. Namecheap is a threat actor favorite because of the BTC payment options provided. Amongst the above-mentioned domains, we were able to find some interesting emails in the WHOIS information.
The repository hosting the information stealer malware since 8th December