Executive Summary

On 29th March, 2023 there were reports of malicious activity originating from a signed 3CX desktop application. CrowdStrike’s Falcon Overwatch has claimed to have observed malicious activities from both Windows and macOS binaries.‍

About 3CX Desktop Application

The product is a softphone application that allows you to make and receive calls on your physical desktop. The application is currently available for all major operating systems including Windows, Linux, and macOS. 3CX claims to have more than 600,000 customers globally hence this campaign can have devastating effects.

The currently known affected versions of the Electron application are:

V18.12.407
v18.12.416

‍

Observations from Malicious Behavior

The signed binary makes contact with attacker-controlled infrastructure and deploys a second-stage payload to the victim. There are also cases where hands-on-keyboard activity has been observed, which is a way of keeping a human threat actor in the loop to evade defenses and move vertically or laterally in the infrastructure.
SentinelOne has identified cases where there is an involvement of a 3rd stage information stealer DLL that was being pulled from a GitHub repository (at the time of writing this, the repository has been taken down).
There are also claims that this attack involves nation-state threat actor, LABYRINTH CHOLLIMA/ZINC/Lazarus group/Black Artemis, is involved in this sophisticated supply chain attack.

‍

Timeline

‍

Threat Analysis

According to the known evidence, we can assume that the active exploitation of the trojanized Electron application started after 3rd March 2023. The repository used to host the multi-stage payload was in use since 8th December 2022. The alerts were flagged as false positives and the support staff from 3CX asked the users to remove EDR solutions as a solution.

The following have been identified as key components of the malicious binary:

3CXDesktopApp.exe, the clean loader
d3dcompiler_47.dll, a DLL with an appended encrypted payload
ffmpeg.dll, the trojanized malicious loader

‍

The file ffmpeg.dll contains an embedded URL that retrieves a malicious encoded .ico payload. The ICO file has the Base64 payload at the end. That data post-decoding is used to download another stage in some cases. The DLL downloaded seems to be an unknown information stealer meant to interface and exfiltrate saved browser data.

‍

Detection

At the time of writing this, some YARA rules can be used for Threat Hunting. All the other YARA rules are mentioned in the reference section.

‍

*One of the rules that can be used to identify malicious binaries* *authored by Florian Roth*

‍

For SentinelOne, Crowdstrike, and Sophos MDR/EDR users, there are specific OS queries that are mentioned in their advisories (mentioned in the Reference section).

‍

Indicators of Compromise

‍

Domain Name	Registered Date	Registrar
akamaicontainer[.]com	14/02/2023	Namecheap
akamaitechcloudservices[.]com	04/01/2023	Namecheap
azuredeploystore[.]com	13/03/2023	Namesilo
azureonlinecloud[.]com	13/02/2023	Namecheap
azureonlinestorage[.]com	05/01/2023	PublicDomainRegistry
msedgepackageinfo[.]com	05/01/2023	Namesilo
msstorageazure[.]com	17/11/2022	Namecheap
msstorageboxes[.]com	09/12/2022	Namecheap
officeaddons[.]com	09/12/2022	PublicDomainRegistry
officestoragebox[.]com	17/11/2022	Namecheap
dunamistrd[.]com	06/12/2022	Namecheap
pbxcloudeservices[.]com	23/12/2022	PublicDomainRegistry
glcloudservice[.]com	06/01/2023	Namecheap
pbxphonenetwork[.]com	25/12/2022	Namesilo
qwepoi123098[.]com	17/11/2022	Namecheap
zacharryblogs[.]com	13/12/2022	Namecheap
sbmsa[.]wiki	09/02/2023	Namecheap
pbxsources[.]com	04/01/2023	Namecheap
sourceslabs[.]com	09/12/2022	eNom, LLC
visualstudiofactory[.]com	17/11/2022	Namecheap
journalide[.]org	08/04/2022	Namecheap

‍

All the above-mentioned domains have been blocked as of 30th March 2023. We can also observe that these domains have been recently registered. Namecheap is a threat actor favorite because of the BTC payment options provided. Amongst the above-mentioned domains, we were able to find some interesting emails in the WHOIS information.

‍

Email	Full Name
[email protected]	Diego Garcia
[email protected]	Simpson Remey
[email protected]	Jackie Caudill
[email protected]	Harold Marable

‍

The repository hosting the information stealer malware since 8th December

github[.]com/IconStorages/images

‍

FileName	SHA-256
IconStorages.zip	5c54932fdbb077d73c58ac41a1ad3f6ea5576b3e1f719c8b714b637c9ceb361b
3CXDesktopApp.exe	a60a61bf844bc181d4540c9fac53203250a982e7c3ad6153869f01e19cc36203
3CXDesktopApp.exe	5d99efa36f34aa6b43cd81e77544961c5c8d692c96059fef92c2df2624550734
3CXDesktopApp.exe	54004dfaa48ca5fa91e3304fb99559a2395301c570026450882d6aad89132a02
3CXDesktopApp.exe	d45674f941be3cca2fbc1af42778043cc18cd86d95a2ecb9e6f0e212ed4c74ae
3CXDesktopApp.msi	aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868
3CXDesktopApp.msi	59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983
3CXDesktopApp (macOS Application)	92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61
3CXDesktopApp (macOS Application)	b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb
3CXDesktopApp (macOS DMG Application)	5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290
3CXDesktopApp (macOS DMG Application)	e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec

Recommendations

Check for the above-mentioned IOCs for trojanized version of the application
The official recommendation is to use the Web app/PWA application and not the electron application for the time being. The instructions can be found here.
Keep an eye on the changing campaign

‍