{"id":21632,"date":"2023-04-01T15:21:08","date_gmt":"2023-04-01T23:21:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/04\/01\/news-15363\/"},"modified":"2023-04-01T15:21:08","modified_gmt":"2023-04-01T23:21:08","slug":"news-15363","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/04\/01\/news-15363\/","title":{"rendered":"Update 2: 3CX users under DLL-sideloading attack: What you need to know"},"content":{"rendered":"

Credit to Author: Greg Iddon| Date: Thu, 30 Mar 2023 01:39:11 +0000<\/strong><\/p>\n

\n

Sophos X-Ops is tracking a developing situation concerning a seeming supply-chain attack, possibly undertaken by a nation-state-related group. This page provides an overview of the situation, a threat analysis, information for hunters, and information on detection protection.<\/p>\n

We will update this page as events and understanding develop, including our threat and detection guidance.<\/p>\n

[Latest version published 23:00 <\/em>UTC 01-April-23, adding Troj\/Steal-DLG to Detection Protections\/Static detection, two more queries customers may use to determine their exposure to the attack, new analysis of an emergent line of inquiry concerning a timestamp mechanism in the malicious code, and information on analysis of other Electron-built apps using ffmpeg.dll<\/em><\/p>\n

23:30 UTC 30-March-23, adding detail on affected versions, misuse of ffmpeg.dll, removal of malicious repository, comparison of PE shellcode loader to that used by Lazarus threat group, more queries customers may use to determine their exposure to the attack, and various additional detections]<\/em><\/p>\n

 <\/p>\n

Overview<\/strong><\/h2>\n

The affected software is 3CX \u2013 a legitimate software-based PBX phone system available on Windows, MacOS, Linux, Android, and iOS. Some Windows and MacOS versions of the application have been abused by the threat actor to add an installer that communicates with various command-and-control (C2) servers.<\/p>\n

The software is a digitally signed version of the softphone desktop client for both Windows and MacOS, which includes a malicious payload. According to 3CX, their Update 7 for Windows, version numbers 18.12.407 and 18.12.416, and Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 and 18.12.416, are affected. The most common post-exploitation event we have observed to date is the presence of an infostealer that targets the browser(s) on a compromised system. At this writing, 3CX has deprecated the affected versions of the Windows application.<\/p>\n

At present, the only platforms confirmed by our customer data to be affected are Windows and MacOS, which is in agreement with 3CX\u2019s information on affected platforms. According to information<\/a> on their support forum, Android and iOS versions of the software are not believed to be affected.<\/p>\n

Threat analysis<\/strong><\/h2>\n

On March 22, users of 3CX began discussion of potential false-positive detections of 3CXDesktopApp by their endpoint security agents.<\/p>\n

\"The<\/a><\/p>\n

Figure 1: The update process at the moment the malicious version drops<\/em><\/p>\n

Sophos MDR first identified malicious activity directed at its own customers and stemming from 3CXDesktopApp on March 29, 2023. Additionally, Sophos MDR has observed the campaign leveraging a public file storage to host encoded malware. This repository has been in use since December 8, 2022; after news of the compromise spread widely on March 29, the repository was taken down.<\/p>\n

The attack revolves around a DLL sideloading scenario, one with a remarkable number of components involved. This is likely to ensure that customers were able to use the 3CX desktop package without noticing anything unusual about the affected package. We have identified three crucial components:<\/p>\n