- Category: Malware Intelligence
- Type/Family: Infostealer
- Industry: IT & Technology
- Region: Global
- Trojanized versions of the 3CX desktop app load a DLL with malicious content.
- The DLL launches a multi-staged attack on the victim machine, the final stage being the deployment of an unidentified info stealer.
- It’s multi-platform with a macOS version.
- Critical data such as saved passwords can be compromised through browsers installed on the victim system.
Analysis and Attribution
On 29th March 2023, reports emerged of malicious activities originating from a signed 3CX desktop application. CrowdStrike’s Falcon Overwatch has claimed to have observed malicious activities from both Windows and macOS versions of the application.
The product is a softphone application that allows you to make and receive calls on your physical desktop. The application is currently available for all major operating systems including Windows, Linux, and macOS. 3CX claims to have more than 600,000 customers globally, hence, this campaign can have devastating effects.
Upon installing the affected versions of the 3CX desktop application, three files are dropped by the installer:
- 3CXDesktopApp.exe: Used to load the first trojanized DLL.
- ffmpeg.dll: Trojanized DLL. It contains data that is used to read, decrypt, and execute shellcode from the second malicious DLL dropped by the installer.
- d3dcompiler_47.dll: Contains malicious shellcode that fetches .ico files from a GitHub repository (now taken down) and decrypts the C&C URLs from those files.
The affected binary starts by loading the trojanized DLL ffmpeg.dll. This DLL looks for the next malicious DLL in the source directory (d3dcompiler_47.dll) and loads it.
d3dcompiler_47.dll has been appended to contain encrypted malicious shellcode, and is identified by a unique marker (0XCEFAEDFE). This shellcode has been encrypted using an RC4 stream cipher.
The shellcode is then decrypted using a key (3jB(2bsG#@c7), and stored in memory for use.
Then, VirtualProtect() is used to change the permissions of the memory region where the shellcode is stored to PAGE_EXECUTE_READWRITE (0x40). The shellcode also has a DLL embedded within it.
This shellcode is a downloader, and it is responsible for downloading the malicious .ico files from a now taken-down GitHub repository. It makes this request using a unique User-Agent string.
A total of 16 .ico files are downloaded https://raw.githubusercontent[.]com/IconStorages/images/main/ and each .ico file is appended to have an encrypted string at the end. This string is encrypted using AES and GCM and is encoded in base64.
When decrypted, each .ico file contains a C&C URL, which is used to download the final stage payload. Below are the decrypted C&Cs for each .ico, credits to this script. The first URL was most likely used as a test URL by the threat actor since this address never hosted malware.
The final stage payload is reportedly a new info stealer, which steals data from well-known browsers such as Chrome, Edge, Brave, and Firefox.
The final stage is a never-seen-before info stealer. Security researchers at Volexity have named this stealer ICONIC. This stealer cannot be run directly using rundll.exe, as it follows another loading process. This is why we have tried our best to draw our conclusions from static analysis.
The stealer starts by checking the OS version that is currently running on the victim system. After this, it checks for the file C:\Program Files\3CXDesktopApp\config.json. Without this file, the stealer will not continue its operations.
Then, the stealer gets the hostname and domain name information and formats it in a way that it is stored with the OS version. This will most likely be sent to the C&C as a victim identifier.
Next the stealer starts its file-stealing operations. It uses a loop of FindFirstFile() and FindNextFile() to find data related to popular browsers.
The stealer has the paths of popular web browsers hardcoded. Below is a list of targeted browsers and the respective files that the stealer steals.
The History file for Chrome, Edge, and Brave is stolen, and the places.sqlite file for Firefox is stolen. These files are responsible for storing web browsing history and are stored in the form of an SQLite database. They contain the URL, page title, last visited time, and other information related to browsing.
At times, the URL of a page may contain sensitive information, such as encrypted credentials, or other such information, which can be used by an attacker. It should be noted, however, that this happens very rarely with major portals and websites that take such data.
The stealer also uses the InternetCrackUrlW API in order to store the broken-down components of a URL, such as protocol, hostname, port, and other parameters.
The stealer implements SQL queries in order to limit the results to 500 entries only, in order to make sure that it steals the most recent information.
Finally, the stolen data is passed back to the main module, so that it can be sent to the C&C server.
The macOS installer for the 3CX was also infected, and operates slightly differently:
- The path of the malicious component is 3CX Desktop App.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib.
- The URLs are XOR encoded and hardcoded in the binary (not retrieved from the aforementioned GitHub repository). The URLs used are listed below. This variant also uses a slightly different web request format to communicate with the URLs.
A YARA rule can be found in the references section of this report, in order to detect all stages of this campaign.
Indicators of Compromise (IoCs)