{"id":21616,"date":"2023-03-30T17:21:03","date_gmt":"2023-03-31T01:21:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/03\/30\/news-15347\/"},"modified":"2023-03-30T17:21:03","modified_gmt":"2023-03-31T01:21:03","slug":"news-15347","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/03\/30\/news-15347\/","title":{"rendered":"Updated: 3CX users under DLL-sideloading attack: What you need to know"},"content":{"rendered":"<p><strong>Credit to Author: Greg Iddon| Date: Thu, 30 Mar 2023 01:39:11 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p>Sophos X-Ops is tracking a developing situation concerning a seeming supply-chain attack, possibly undertaken by a nation-state-related group. This page provides an overview of the situation, a threat analysis, information for hunters, and information on detection protection.<\/p>\n<p>We will update this page as events and understanding develop, including our threat and detection guidance.<\/p>\n<p><em>[Latest version published 3:30pm PDT 30-March-23, adding detail on affected versions, misuse of ffmpeg.dll, removal of malicious repository, comparison of PE shellcode loader to that used by Lazarus threat group, three more queries customers may use to determine their exposure to the attack, and various additional detections]<\/em><\/p>\n<h2><strong>Overview<\/strong><\/h2>\n<p>The affected software is 3CX \u2013 a legitimate software-based PBX phone system available on Windows, MacOS, Linux, Android, and iOS. Some Windows and MacOS versions of the application have been abused by the threat actor to add an installer that communicates with various command-and-control (C2) servers.<\/p>\n<p>The software is a digitally signed version of the softphone desktop client for both Windows and MacOS, which includes a malicious payload. According to 3CX, their Update 7 for Windows, version numbers 18.12.407 and 18.12.416, and Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 and 18.12.416, are affected. The most common post-exploitation event we have observed to date is the presence of an infostealer that targets the browser(s) on a compromised system. At this writing, 3CX has deprecated the affected versions of the Windows application.<\/p>\n<p>At present, the only platforms confirmed by our customer data to be affected are Windows and MacOS, which is in agreement with 3CX\u2019s information on affected platforms. According to <a href=\"https:\/\/www.3cx.com\/community\/threads\/3cx-desktopapp-security-alert.119951\/\">information<\/a> on their support forum, Android and iOS versions of the software are not believed to be affected.<\/p>\n<h2><strong>Threat analysis<\/strong><\/h2>\n<p>On March 22, users of 3CX began discussion of potential false-positive detections of 3CXDesktopApp by their endpoint security agents.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/3cx-compromise-in-action.jpg\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-90718\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/3cx-compromise-in-action.jpg\" alt=\"The compromise as it happened\" width=\"640\" height=\"345\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/3cx-compromise-in-action.jpg 945w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/3cx-compromise-in-action.jpg?resize=300,162 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/3cx-compromise-in-action.jpg?resize=768,414 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 1: The update process at the moment the malicious version drops<\/em><\/p>\n<p>Sophos MDR first identified malicious activity directed at its own customers and stemming from 3CXDesktopApp on March 29, 2023. Additionally, Sophos MDR has observed the campaign leveraging a public file storage to host encoded malware. This repository has been in use since December 8, 2022; after news of the compromise spread widely on March 29, the repository was taken down.<\/p>\n<p>The attack revolves around a DLL sideloading scenario, one with a remarkable number of components involved. This is likely to ensure that customers were able to use the 3CX desktop package without noticing anything unusual about the affected package. We have identified three crucial components:<\/p>\n<ul>\n<li>3CXDesktopApp.exe, the clean loader<\/li>\n<li>d3dcompiler_47.dll, a DLL with an appended encrypted payload<\/li>\n<li>ffmpeg.dll, a Trojanized loader<\/li>\n<\/ul>\n<p>Figure 2 presents a high-level look at the attack flow as it works in Windows; there are some minor variations in the later steps with the MacOS version.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-02-3.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-90743\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-02-3.png\" alt=\"A flow chart showing the complexity of the attack\" width=\"640\" height=\"360\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-02-3.png 1280w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-02-3.png?resize=300,169 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-02-3.png?resize=768,432 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-02-3.png?resize=1024,576 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 2: A high-level view of the attack flow<\/em><\/p>\n<p>The file ffmpeg.dll contains an embedded URL which retrieved a malicious encoded .ico payload from GitHub file storage at https[:]\/\/raw.githubusercontent.com\/IconStorages\/images\/main\/ &#8212; though, again, once news of the compromise spread widely, this repository was taken down.<\/p>\n<p>We saw several variations on the ffmpeg.dll file, including one that was signed by 3CX\u2019s own certificate; these appear to be maliciously patched versions of the legitimate ffmpeg.dll. In a statement on Thursday, the team responsible for ffmpeg\u2019s source code took pains to distance their work from the 3CX compromise.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/image.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-90746\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/image.png\" alt=\"A snapshot of the tweet from ffmpeg, which says &quot;There have been several incorrect reports that FFmpeg has been involved in the distribution of malware. FFmpeg only provides source code and the source code has not been compromised. Any &quot;ffmpeg.dll&quot; that has been compromised is the responsibility of the vendor. &quot;\" width=\"580\" height=\"200\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/image.png 580w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/image.png?resize=300,103 300w\" sizes=\"auto, (max-width: 580px) 100vw, 580px\" \/><\/a><\/p>\n<p><em>Figure 3: When ffmpeg stepped onto Twitter to defend its code<\/em><\/p>\n<p>In a normal DLL sideloading scenario, the malicious loader (ffmpeg.dll) would replace the clean dependency; its only function would be to queue up the payload. However, in this case, that loader is also entirely functional, as it would normally be in the 3CX product \u2013 instead, there\u2019s an additional payload inserted at the DllMain function. This adds bulk, but may have lowered suspicions \u2013 the abused 3CX application functions functioned as expected, even as the Trojan addresses reached out to the C2 beacon.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-03-2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-90744\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-03-2.png\" alt=\"The 3CX supply-chain attack as experienced by the developers and by the end users\" width=\"640\" height=\"360\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-03-2.png 1280w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-03-2.png?resize=300,169 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-03-2.png?resize=768,432 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/figure-03-2.png?resize=1024,576 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 4: What the affected 3CX developers and customers experienced<\/em><\/p>\n<p>Allowing the abused software to remain functional is not dissimilar to other DLL sideloading cases we\u2019ve seen, but this campaign is slightly different even from the current rash of DLL sideloading cases we\u2019ve seen. In particular, we\u2019ve noted that the PE shellcode loader in use is unique in our experience. Previous to this, we\u2019ve only seen it in incidents attributed to the Lazarus group; the code in this incident is a byte-to-byte match to those previous samples.<\/p>\n<h2><strong>Hunting information<\/strong><\/h2>\n<h3>Determining impact with Sophos XDR<\/h3>\n<h4>1. Determining whether hosts have communicated with threat actor infrastructure: Data Lake<\/h4>\n<p>The below query will search for hosts that have communicated with the various known URLs in use by this campaign.<\/p>\n<pre>SELECT    meta_hostname,    sophos_pids,    domain,    clean_urls,    source_ips,    destination_ips,    timestamps,    ingestion_timestamp  FROM    xdr_data  WHERE    query_name = 'sophos_urls_windows'    AND      (LOWER(domain) LIKE '%akamaicontainer[.]com%'      OR LOWER(domain) LIKE '%akamaitechcloudservices[.]com%'      OR LOWER(domain) LIKE '%azuredeploystore[.]com%'      OR LOWER(domain) LIKE '%azureonlinecloud[.]com%'      OR LOWER(domain) LIKE '%azureonlinestorage[.]com%'      OR LOWER(domain) LIKE '%dunamistrd[.]com%'      OR LOWER(domain) LIKE '%glcloudservice[.]com%'      OR LOWER(domain) LIKE '%journalide[.]org%'      OR LOWER(domain) LIKE '%msedgepackageinfo[.]com%'      OR LOWER(domain) LIKE '%msstorageazure[.]com%'      OR LOWER(domain) LIKE '%msstorageboxes[.]com%'      OR LOWER(domain) LIKE '%officeaddons[.]com%'      OR LOWER(domain) LIKE '%officestoragebox[.]com%'      OR LOWER(domain) LIKE '%pbxcloudeservices[.]com%'      OR LOWER(domain) LIKE '%pbxphonenetwork[.]com%'      OR LOWER(domain) LIKE '%pbxsources[.]com%'      OR LOWER(domain) LIKE '%qwepoi123098[.]com%'      OR LOWER(domain) LIKE '%sbmsa[.]wiki%'      OR LOWER(domain) LIKE '%sourceslabs[.]com%'      OR LOWER(domain) LIKE '%visualstudiofactory[.]com%'      OR LOWER(domain) LIKE '%zacharryblogs[.]com%'      OR (LOWER(domain) LIKE '%raw.githubusercontent[.]com%' AND LOWER(clean_urls) LIKE '%\/iconstorages\/images\/main\/%'))<\/pre>\n<h4><span lang=\"EN-GB\">2. Determining whether hosts have interacted with malicious files<\/span><\/h4>\n<pre><span class=\"ui-provider gs b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak\" dir=\"ltr\">SELECT f.filename, f.directory, ROUND((f.size * 10e-7),2) AS size_MB, h.sha256, f.type,   f.attributes, f.mode,   datetime(f.btime,'unixepoch') AS file_created_time,   datetime(f.atime,'unixepoch') AS file_last_access_time,   datetime(f.mtime,'unixepoch') AS file_last_modified_time,   datetime(f.ctime,'unixepoch') AS file_last_status_change_time,   f.uid, u.username AS file_owner   FROM file f   LEFT JOIN users u ON f.uid = u.uid   LEFT JOIN groups g ON f.gid = g.gid   LEFT JOIN hash h ON f.path = h.path   WHERE f.path like 'c:users%appdatalocalprograms3cxdesktopappapp%'   AND (f.filename = 'ffmpeg.dll'   OR f.filename LIKE 'd3dcompiler%.dll'   OR f.filename = 'trololo.dll')   AND (h.sha256 = 'c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02'   OR h.sha256 = '11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03'   OR h.sha256 = '7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896'   OR h.sha256 = 'aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973')<\/span>  <\/pre>\n<h4><span lang=\"EN-GB\">3. Determining whether hosts are running affected versions<\/span><\/h4>\n<p>&nbsp;<\/p>\n<pre>SELECT      MIN(ingestion_timestamp) AS first_seen,      MAX(ingestion_timestamp) AS last_seen,      meta_hostname,      ARRAY_JOIN(ARRAY_AGG(DISTINCT(meta_hostname)), ', ') AS hosts,      ARRAY_JOIN(ARRAY_AGG(sophos_pid),', ') AS spids,      LOWER(name) AS name,      sha256,      company_name,      file_description,      file_size,      file_version,      original_filename  FROM      xdr_data  WHERE     query_name = 'running_processes_windows_sophos'      AND (          LOWER(name) = '3cxdesktopapp.exe'          OR LOWER(original_filename) = '3cxdesktopapp.exe'          OR LOWER(product_name) ='3cx desktop app')  GROUP by      meta_hostname,      LOWER(name),      sha256,      company_name,      file_description,      file_size,      file_version,      original_filename  ORDER BY      meta_hostname desc  <\/pre>\n<h4><span lang=\"EN-GB\">4. <span class=\"ui-provider gs b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak\" dir=\"ltr\">Determining whether hosts have communicated with threat actor infrastructure, for MacOS<\/span><\/span><\/h4>\n<p>&nbsp;<\/p>\n<pre><span class=\"ui-provider gs b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak\" dir=\"ltr\">SELECT\u00a0  \u00a0\u00a0\u00a0 meta_hostname,  \u00a0\u00a0\u00a0 date_format(from_unixtime(time), '%Y-%m-%d %H:%i:%s') AS date_time,  \u00a0\u00a0\u00a0 ingestion_timestamp  \u00a0\u00a0\u00a0 pid,  \u00a0\u00a0\u00a0 name,  \u00a0\u00a0\u00a0 cmdline,  \u00a0\u00a0\u00a0 path,  \u00a0\u00a0\u00a0 parent,  \u00a0\u00a0\u00a0 gid,  \u00a0\u00a0\u00a0 uid,  \u00a0\u00a0\u00a0 euid,  \u00a0\u00a0\u00a0 egid,  \u00a0\u00a0\u00a0 sha1,  \u00a0\u00a0\u00a0 sha256  FROM\u00a0  \u00a0\u00a0\u00a0 xdr_data  WHERE\u00a0  \u00a0\u00a0\u00a0 query_name = 'running_processes_osx_events'  \u00a0\u00a0\u00a0 AND LOWER(cmdline) LIKE '%sh -c%'  \u00a0\u00a0\u00a0 AND LOWER(cmdline) LIKE '%\/3cx desktop app\/updateagent%'<\/span><\/pre>\n<p>We also recommend that users of 3CX\u2019s software continue to monitor the company\u2019s communications channels; they have a <a href=\"https:\/\/www.3cx.com\/blog\/\">blog<\/a> and also a support-and-information <a href=\"https:\/\/www.3cx.com\/community\/forums\/webrtc-webclient\/\">forum<\/a>. As of March 30, the company was recommending that customers uninstall and reinstall the app, and suggested that they might also use the company\u2019s browser-based PWA client while the situation was sorted out.<\/p>\n<p>An updated list of IOCs for this attack is published on our GitHub.<\/p>\n<h2><strong>Detection protection<\/strong><\/h2>\n<p>SophosLabs has blocked the malicious domains and published the following detections:<\/p>\n<p>Static detections:<\/p>\n<ul>\n<li>Troj\/Loader-AF (Trojanized ffmpeg.dll)<\/li>\n<li>Troj\/Mdrop-JTQ (installers)<\/li>\n<li>OSX\/Mdrop-JTR (installers)<\/li>\n<li>OSX\/Loader-AG (Trojanized ffmpeg.dll)<\/li>\n<\/ul>\n<p>Reputation detection:<\/p>\n<ul>\n<li>Mal\/Generic-R \/ Mal\/Generic-S (d3dcompiler with appended shellcode)<\/li>\n<\/ul>\n<p>Memory detection:<\/p>\n<ul>\n<li>Mem\/Loader-AH<\/li>\n<\/ul>\n<p>We have also blocked the list of known C2 domains associated with the threat and will continue to add to that list in the IOC file on our GitHub, as noted above. Finally, the two malicious versions of the ffmpeg.dll bundled in the affected 3CXapplication are flagged by their hashes as being of low reputation.<\/p>\n<p>SophosLabs is actively investigating additional detection opportunities for activity stemming from this software. In addition, for customers of Sophos MDR, the MDR Detection Engineering team has a variety of behavioral detections in place that will detect follow up activity.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2023\/03\/29\/3cx-dll-sideloading-attack\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/03\/shutterstock_1062320105.jpg\"\/><\/p>\n<p><strong>Credit to Author: Greg Iddon| Date: Thu, 30 Mar 2023 01:39:11 +0000<\/strong><\/p>\n<p>A Trojanized version of the popular VOIP\/PBX software is in the news; here\u2019s what hunters and defenders are doing<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[28963,28964,129,28980,28965,16771],"class_list":["post-21616","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-3cx","tag-dll-sideloading","tag-featured","tag-ffmpeg-dll","tag-ioc-hunting","tag-threat-research"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21616","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21616"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21616\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21616"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21616"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21616"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}