www.huntress.com
Open in
urlscan Pro
2606:2c40::c73c:67e4
Public Scan
URL:
https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats
Submission: On April 03 via api from IN — Scanned from DE
Submission: On April 03 via api from IN — Scanned from DE
Form analysis 4 forms found in the DOM
/hs-search-results
<form action="/hs-search-results" data-hs-cf-bound="true">
<div class="pwr--relative">
<input type="text" id="pwr-js-burger-search__input" class="pwr-burger-search__input hs-search-field__input" name="term" autocomplete="off" aria-label="Search" placeholder="Type search here">
<button class="pwr-search-field__icon" type="submit"><span id="hs_cos_wrapper_module_167327601750737_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_icon" style="" data-hs-cos-general-type="widget" data-hs-cos-type="icon"><svg
version="1.0" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" aria-hidden="true">
<g id="search2_layer">
<path
d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z">
</path>
</g>
</svg></span></button>
</div>
</form>/hs-search-results
<form action="/hs-search-results" data-hs-cf-bound="true">
<input type="text" id="pwr-js-burger-search__input" class="" name="term" autocomplete="off" aria-label="Search" placeholder="Search">
</form>/hs-search-results
<form action="/hs-search-results" data-hs-cf-bound="true">
<div class="pwr--relative">
<input type="text" id="pwr-header-search__input" class="pwr-header-search__input hs-search-field__input" name="term" autocomplete="off" aria-label="Search" placeholder="Type search here. Hit enter to submit or escape to close.">
<button class="pwr-search-field__icon" type="submit"><span id="hs_cos_wrapper_module_167327601750737_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_icon" style="" data-hs-cos-general-type="widget" data-hs-cos-type="icon"><svg
version="1.0" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" aria-hidden="true">
<g id="search5_layer">
<path
d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z">
</path>
</g>
</svg></span></button>
<a href="#" id="pwr-js-header-search__close" class="pwr-header-search__close">
<span class="pwr-header-search__close-icon"></span>
</a>
</div>
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/3911692/196be66c-f1bb-4156-af05-2952954526cd
<form id="hsForm_196be66c-f1bb-4156-af05-2952954526cd_4571" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/3911692/196be66c-f1bb-4156-af05-2952954526cd"
class="hs-form-private hsForm_196be66c-f1bb-4156-af05-2952954526cd hs-form-196be66c-f1bb-4156-af05-2952954526cd hs-form-196be66c-f1bb-4156-af05-2952954526cd_caaa5c3d-eb50-4dfe-870e-15646cb9d3bf hs-form stacked hs-custom-form"
target="target_iframe_196be66c-f1bb-4156-af05-2952954526cd_4571" data-instance-id="caaa5c3d-eb50-4dfe-870e-15646cb9d3bf" data-form-id="196be66c-f1bb-4156-af05-2952954526cd" data-portal-id="3911692" data-hs-cf-bound="true">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-196be66c-f1bb-4156-af05-2952954526cd_4571" class="" placeholder="Enter your Work Email (required)"
for="email-196be66c-f1bb-4156-af05-2952954526cd_4571"><span>Work Email (required)</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-196be66c-f1bb-4156-af05-2952954526cd_4571" name="email" required="" placeholder="" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Subscribe"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1680506128338","formDefinitionUpdatedAt":"1674667130846","lang":"en","embedType":"REGULAR","clonedFromForm":"6da6c019-9d2a-47d7-8966-09563d0875cf","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.146 Safari/537.36","pageTitle":"3CX VoIP Software Compromise & Supply Chain Threats","pageUrl":"https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats","pageId":"108856934290","isHubSpotCmsGeneratedPage":true,"canonicalUrl":"https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats","contentType":"blog-post","hutk":"f11075be688548c1cf210992be59b81d","__hsfp":3897811554,"__hssc":"1139630.1.1680506129016","__hstc":"1139630.f11075be688548c1cf210992be59b81d.1680506129016.1680506129016.1680506129016.1","formTarget":"#hs_form_target_module_155266670085300_subscribe","formInstanceId":"4571","pageName":"3CX VoIP Software Compromise & Supply Chain Threats","locale":"en","timestamp":1680506129036,"originalEmbedContext":{"portalId":"3911692","formId":"196be66c-f1bb-4156-af05-2952954526cd","region":"na1","target":"#hs_form_target_module_155266670085300_subscribe","isBuilder":false,"isTestPage":false,"formInstanceId":"4571","formsBaseUrl":"/_hcms/forms","css":"","isMobileResponsive":true,"pageName":"3CX VoIP Software Compromise & Supply Chain Threats","pageId":"108856934290","contentType":"blog-post","formData":{"cssClass":"hs-form stacked hs-custom-form"},"isCMSModuleEmbed":true},"correlationId":"caaa5c3d-eb50-4dfe-870e-15646cb9d3bf","renderedFieldsIds":["email"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.2933","sourceName":"forms-embed","sourceVersion":"1.2933","sourceVersionMajor":"1","sourceVersionMinor":"2933","_debug_allPageIds":{"embedContextPageId":"108856934290","analyticsPageId":"108856934290","pageContextPageId":"108856934290"},"_debug_embedLogLines":[{"clientTimestamp":1680506128462,"level":"INFO","message":"Retrieved customer callbacks used on embed context: [\"getExtraMetaDataBeforeSubmit\"]"},{"clientTimestamp":1680506128463,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"3CX VoIP Software Compromise & Supply Chain Threats\",\"pageUrl\":\"https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.146 Safari/537.36\",\"pageId\":\"108856934290\",\"isHubSpotCmsGeneratedPage\":true}"},{"clientTimestamp":1680506128465,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""},{"clientTimestamp":1680506129031,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"f11075be688548c1cf210992be59b81d\",\"canonicalUrl\":\"https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats\",\"contentType\":\"blog-post\",\"pageId\":\"108856934290\"}"}]}"><iframe
name="target_iframe_196be66c-f1bb-4156-af05-2952954526cd_4571" style="display: none;"></iframe>
</form>Text Content
This website stores cookies on your computer. These cookies are used to improve
your website and provide more personalized services to you, both on this website
and through other media. To find out more about the cookies we use, see our
Privacy Policy.
Accept Decline
Skip to content
Close
* Platform
* Platform Overview Cybersecurity for the 99%
* Managed EDR Stop Attacks with Process Insights
* ThreatOps 24/7 Human Threat Hunting
* Persistent Footholds Find Attackers Hiding in Plain Sight
* Managed Antivirus Strengthen Frontline Protection
* Ransomware Canaries Detect Ransomware Faster
* External Recon Scan Ports & Potential Exposures
* Security Awareness Training Sharpen Your Employees' Defenses
* Partner Enablement Grow Your Cybersecurity Practice
See The Huntress Managed Security Platform in Action
Ask questions, explore the dashboard and more
Book a demo >
* Who We Serve
* Managed Service Providers Empowering MSPs to Secure End Customers
* Value Added Resellers A Complete ready-to-sell platform for VARs
* Businesses & IT Teams Empowering IT to Bridge the Cyber Gap
* Resources
* Cybersecurity Education Webinars, eBooks and More
* Upcoming Events Tradeshows and Live Industry Events
* Tradecraft Tuesday No Product. No Pitches. Just Tradecraft.
* Success Stories Case Studies & Testimonials
* Blog
* Company
* Leadership Team Meet the Team Taking the Fight to Hackers
* Press Media Coverage, Interviews & More
* Careers Join the Hunt - We're Hiring!
* Contact Us Talk to Sales, Get Help or Say Hello :)
* Partners
* Partner Login Access Your Huntress Dashboard
* Support Documentation Technical Product Support, FAQs & More
SEARCH
CONTACT INFO
PHONE HOTLINE: 1-833-HUNT-NOW E-MAIL: support@huntress.com
Free Trial
* Platform
* Platform Overview Cybersecurity for the 99%
* Managed EDR Stop Attacks with Process Insights
* ThreatOps 24/7 Human Threat Hunting
* Persistent Footholds Find Attackers Hiding in Plain Sight
* Managed Antivirus Strengthen Frontline Protection
* Ransomware Canaries Detect Ransomware Faster
* External Recon Scan Ports & Potential Exposures
* Security Awareness Training Sharpen Your Employees' Defenses
* Partner Enablement Grow Your Cybersecurity Practice
See The Huntress Managed Security Platform in Action
Ask questions, explore the dashboard and more
Book a demo >
* Who We Serve
* Managed Service Providers Empowering MSPs to Secure End Customers
* Value Added Resellers A Complete ready-to-sell platform for VARs
* Businesses & IT Teams Empowering IT to Bridge the Cyber Gap
* Resources
* Cybersecurity Education Webinars, eBooks and More
* Upcoming Events Tradeshows and Live Industry Events
* Tradecraft Tuesday No Product. No Pitches. Just Tradecraft.
* Success Stories Case Studies & Testimonials
* Blog
* Company
* Leadership Team Meet the Team Taking the Fight to Hackers
* Press Media Coverage, Interviews & More
* Careers Join the Hunt - We're Hiring!
* Contact Us Talk to Sales, Get Help or Say Hello :)
* Partners
* Partner Login Access Your Huntress Dashboard
* Support Documentation Technical Product Support, FAQs & More
PHONE HOTLINE: 1-833-HUNT-NOW E-MAIL: support@huntress.com
Free Trial
John Hammond 03.30.2023 14 min read
3CX VOIP SOFTWARE COMPROMISE & SUPPLY CHAIN THREATS
Previous Post
Next Post
Share on Twitter
Share on LinkedIn
Share on Facebook
Share on Reddit
The 3CX VoIP Desktop Application has been compromised to deliver malware via
legitimate 3CX updates. Huntress has been investigating this incident and
working to validate and assess the current supply chain threat to the security
community.
--------------------------------------------------------------------------------
UPDATE #1 - 3/30/23 @ 2pm ET: Added a PowerShell script that can be used to
check locations/versions of 3CX and run against the hashes to see if they're bad
to be run in an RMM.
At 11:40 AM EDT on March 29, 2023, Huntress received an inbound support request
from a partner, concerned with a new advisory and discussion on Reddit shared
just 30 minutes prior. CrowdStrike was first to sound the alarm on a breaking
incident: 3CX VoIP software installations were compromised, delivering malware
to hosts running the 3CX desktop app.
Huntress immediately added increased monitoring for malicious activity related
to the 3CX application, while working to validate this attack vector so that we
could provide as much information as possible to the community.
From 3CX’s recently released notification, the currently known affected 3CX
DesktopApp versions are 18.12.407 and 18.12.416 for Windows and 18.11.1213,
18.12.402, 18.12.407 and 18.12.416 for Mac.
IMPACT
At the time of writing, Shodan reports there are 242,519 publicly exposed 3CX
phone management systems.
3CX claims to have over 600,000 customers, and it goes without saying, this has
the potential to be a massive supply chain attack, likened well enough to the
SolarWinds incident or the Kaseya VSA ransomware attack in years past.
Within our partner base, Huntress has sent out 2,783 incident reports where the
3CXDesktopApp.exe binary matches known malicious hashes and was signed by 3CX on
March 13, 2023. We currently have a pool of ~8,000 hosts running 3CX software.
While Huntress has notified appropriate partners, we decided not to
automatically isolate 3CX hosts, in the event it could result in taking phone
communication systems offline. We strongly urge you to remove the software if at
all possible, as 3CX has promised a non-malicious update in the near future.
ANALYSIS & INVESTIGATION
On March 29, numerous EDR providers and antivirus solutions began to trigger and
flag on the legitimate signed binary 3CXDesktopApp.exe. This application had
begun an update process that ultimately led to malicious behavior and
command-and-control communication to numerous external servers.
Unfortunately in the early timeline of the community's investigation, there was
confusion on whether or not this was a legitimate antivirus alert.
The 3CX download available on the official public website had included malware.
Installations already deployed will update, and ultimately pull down this
malware that includes a backdoored DLL file, ffmpeg.dll and an anomalous
d3dcompiler_47.dll.
For an overall visual of the attack chain, take a quick look at this primitive
graph.
Massive kudos to our security researcher and resident binary ninja Matthew
Brennan for this deep-dive!
This backdoored ffmpeg.dll primarily acts as loader for the d3dcompiler_47.dll
file.
Right from the DLL entrypoint, it eventually enters a new function (that we have
renamed mw_main_function for our reverse engineering purposes) --
That creates a new event AVMonitorRefreshEvent, resolves the current file path,
and looks for the subsequent d3dcompiler_47.dll file to load into memory.
From our analysis, we see d3dcompiler_47.dll is signed by Microsoft, but
contains an embedded secondary encrypted payload. This payload is denoted by a
specific byte marker, FE ED FA CE, as others have also observed.
After retrieving d3dcompiler_47.dll, the ffmpeg.dll binary locates and unravels
this secondary payload by decrypting an RC4 stream with the key 3jB(2bsG#@c7.
According to other threat intelligence, this static key is known to be
attributed to DPRK threat actors.
Following calls to VirtualProtect to prepare this payload, we could extract the
decrypted shellcode for further examination.
Digging further within GHIDRA, x64dbg and other analysis tools, we discovered
there is yet another DLL file embedded within the shellcode. It appears this
shellcode is just another PE loader.
One very important note regarding this shellcode-embedded PE file: it would
sleep for 7 days and wait to call out to external C2 servers. The 7-day delay is
peculiar, as you may not have seen further indicators immediately... and it may
explain why some users have not yet seen malicious activity. (Perhaps an
interesting observation considering these new malicious 3CX updates were first
seen on March 22, and the industry caught wind of this malicious activity on
March 29)
This final PE file ultimately reaches out to a Github repository and raw file
contents:
https://raw[.]githubusercontent[.]com/IconStorages/images/main/icon%d.ico
This Github repository, https[:]//github[.]com/IconStorages/images, stored 16
separate .ICO icon files.
Each one was in fact a valid icon file, however, at the very end of each file
was a Base64 encoded string.
Attempting to decode these Base64 strings, they were -- as we might expect --
seemingly more encrypted data.
In between the internet HTTP requests to Github, we observed decryption
routines. These helped clue in how we could decrypt what looked to be AES
encrypted data -- ultimately unraveling to these plaintext strings and URLs
referenced at the end of each .ICO file:
https[:]//www[.]3cx[.]com/blog/event-trainings/
https[:]//akamaitechcloudservices[.]com/v2/storage
https[:]//akamaitechcloudservices[.]com/v2/storage
https[:]//azureonlinestorage[.]com/azure/storage
https[:]//msedgepackageinfo[.]com/microsoft-edge
https[:]//glcloudservice[.]com/v1/console
https[:]//pbxsources[.]com/exchange
https[:]//msstorageazure[.]com/window
https[:]//officestoragebox[.]com/api/session
https[:]//visualstudiofactory[.]com/workload
https[:]//azuredeploystore[.]com/cloud/services
https[:]//msstorageboxes[.]com/office
https[:]//officeaddons[.]com/technologies
https[:]//sourceslabs[.]com/downloads
https[:]//zacharryblogs[.]com/feed
https[:]//pbxcloudeservices[.]com/phonesystem
https[:]//pbxphonenetwork[.]com/voip
https[:]//msedgeupdate[.]net/Windows
These URLs match the same handful of domain IOCs shared by others. The final
payload would randomly choose which icon number, and ultimately decrypted URL,
to be selected as the external C2 server.
Interestingly enough, the very first .ICO file, icon0.ico had pointed to
https[:]//www[.]3cx[.]com/blog/event-trainings/ ... however trawling through the
past commits of the IconStorage Github repository, it originally referenced
https[:]//msedgeupdate[.]net/Windows
The https[:]//github[.]com/IconStorages/images repository hosting these C2
server endpoints has been taken offline. While this may hinder the execution of
hosts updating to the current malicious version of 3CX, the real impact is
unknown at this time. It is not yet clear whether or not adversaries still have
access to the 3CX supply chain in order to poison future updates - perhaps this
may change the tradecraft we see in the coming days.
We have not yet seen any sample network data communicating with these C2 URLs
for us to analyze.
DETECTION EFFORTS
UPDATE 3/30/23 @ 2pm ET: Our team has created a PowerShell script that can be
used to check locations/versions of 3CX to run against the hashes and see if
they're bad to be run in an RMM.
Windows Defender is currently detecting this attack chain with the threat name
Trojan:Win64/SamScissors.
For detection efforts, Huntress has observed -- at least for the malicious
initial outreach to Github-related IP address -- a particular process tree and
process command line:
The parent lineage has been:
explorer.exe
\_
3CXDesktopApp.exe
\_
3CXDesktopApp.exe
… with the parent 3CXDesktopApp.exe having one of the known malicious hashes,
and the corresponding child 3CXDesktopApp.exe invoked with a command line of:
[DRIVE]:\Users\Username\Local\Programs\3CXDesktopApp.exe\3CXDesktopApp.exe autoLaunch
To note, we have observed processes with this lineage and command line that have
not reached out to a Github related domain... but the distinguishing factor
appears to be the process lineage criteria paired with the malicious hashes for
the parent 3CXDesktopApp.exe.
These known SHA256 hashes offer quality indicators:
* a60a61bf844bc181d4540c9fac53203250a982e7c3ad6153869f01e19cc36203 (18.12.416)
* 5d99efa36f34aa6b43cd81e77544961c5c8d692c96059fef92c2df2624550734 (18.12.416)
* 54004dfaa48ca5fa91e3304fb99559a2395301c570026450882d6aad89132a02 (18.12.407)
* d45674f941be3cca2fbc1af42778043cc18cd86d95a2ecb9e6f0e212ed4c74ae (18.12.407)
Additionally, Huntress researcher Matthew Brennan has crafted a YARA rule to
help detect these malicious files.
You can find this YARA rule included within this Github gist:
This file contains bidirectional Unicode text that may be interpreted or
compiled differently than what appears below. To review, open the file in an
editor that reveals hidden Unicode characters. Learn more about bidirectional
Unicode characters
Show hidden characters
rule Malware_dprk_3cx { meta: author = "HuntressLabs" created = "2023/03/30"
strings: $ffmpeg = {41 f7 da 44 01 d2 ff c2 4c 63 ca 46 8a 94 0c 50 03 00 00 45
00 d0 45 0f b6 d8 42 8a ac 1c 50 03 00 00 46 88 94 1c 50 03 00 00 42 88 ac 0c 50
03 00 00 42 02 ac 1c 50 03 00 00 44 0f b6 cd 46 8a 8c 0c 50 03 00 00} $s1 =
"D3dcompiler_47.dll" ascii $s2 = "3jB(2bsG#@c7" ascii $ror = {41 c1 cb 0d 0f be
03 48 ff c3 44 03 d8 80 7b ff 00} $header = {31 32 30 30 20 32 34 30 30 20 22 4d
6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30
3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35
33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 33
43 58 44 65 73 6b 74 6f 70 41 70 70 2f 31 38 2e 31 31 2e 31 31 39 37 20 43 68 72
6f 6d 65 2f 31 30 32 2e 30 2e 35 30 30 35 2e 31 36 37 20 45 6c 65 63 74 72 6f
6e} $downloader1 = {33 c1 41 69 d0 7d 50 bf 12 45 8b d1 83 c3 10 4c 0f af d7 49
c1 e9 20 81 c2 87 d6 12 00 4d 03 d1 44 69 ca 7d 50 bf 12} $github =
"https://raw.githubusercontent.com/IconStorages/" wide nocase condition: $ffmpeg
or ($s1 and $s2) or ($ror and $header) or $downloader1 or $github }
view raw 3cxMalware.yar hosted with ❤ by GitHub
ATTRIBUTION
While definitive attribution is not yet clear, the current consensus across the
security community is that this attack was performed by a DPRK nation-state
threat actor.
3CX OFFICIAL MESSAGING
The latest recommendations from the 3CX CEO and CISO are to uninstall the
desktop client for 3CX. They report they are preparing a new release and update
to the 3CXDesktopApp to be made available soon.
HUNTRESS ASSISTANCE
Fully aware of the severity of this incident, we realize our efforts are just
one pebble in the pond. With that said, our goal is always to keep our partners
safe and do as much as we can to help the broader small and mid-size business
(SMB) community prevent this from escalating further.
If you are using 3CX and aren’t already working with our team, Huntress is
offering a free, 30-day trial of our Managed EDR services through the month of
April. For more information, check out the details
here: https://www.huntress.com/3cx-response.
RESOURCES AND REFERENCES
* The latest from 3CX
https://www.3cx.com/blog/news/desktopapp-security-alert-updates/
* CrowdStrike’s original Reddit reporting
https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
* CrowdStrike’s formal blog post
https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
* Todyl’s reporting
https://www.todyl.com/blog/post/threat-advisory-3cx-softphone-telephony-campaign
* SentinelOne’s reporting
https://s1.ai/smoothoperator
* Discussion on the 3CX forum and public bulletin board
* https://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558710
* https://www.3cx.com/community/threads/3cx-desktop-app-vulnerability-security-group-contact.119930/
* https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/#post-558726
* 3CX CEO first official notification
* https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/#post-558907
* Nextron System’s Sigma and YARA rules for detection
https://github.com/Neo23x0/signature-base/blob/master/yara/gen_mal_3cx_compromise_mar23.yar
* Unofficial OTX AlientVault Pulse
https://otx.alienvault.com/pulse/64249206b02aa3531a78d020
* Kevin Beaumont’s commentary
https://cyberplace.social/@GossiTheDog/110108640236492867
* Patrick Wardle’s commentary on the Mac variant
https://twitter.com/patrickwardle/status/1641294247877021696
https://objective-see.org/blog/blog_0x73.html
* Volexity's timeline, including what each of the icon files were and some of
the network indicators
https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/
INDICATORS OF ATTACK (IOAS)
DOMAINS:
akamaicontainer[.]com
akamaitechcloudservices[.]com
azuredeploystore[.]com
azureonlinecloud[.]com
azureonlinestorage[.]com
dunamistrd[.]com
glcloudservice[.]com
journalide[.]org
msedgepackageinfo[.]com
msstorageazure[.]com
msstorageboxes[.]com
officeaddons[.]com
officestoragebox[.]com
pbxcloudeservices[.]com
pbxphonenetwork[.]com
pbxsources[.]com
qwepoi123098[.]com
sbmsa[.]wiki
sourceslabs[.]com
visualstudiofactory[.]com
zacharryblogs[.]com
3CXDESKTOPAPP.EXE SHA256 HASHES
a60a61bf844bc181d4540c9fac53203250a982e7c3ad6153869f01e19cc36203 (18.12.416)
5d99efa36f34aa6b43cd81e77544961c5c8d692c96059fef92c2df2624550734 (18.12.416)
54004dfaa48ca5fa91e3304fb99559a2395301c570026450882d6aad89132a02 (18.12.407)
d45674f941be3cca2fbc1af42778043cc18cd86d95a2ecb9e6f0e212ed4c74ae (18.12.407)
3CXDESKTOPAPP MSI INSTALLER SHA256 HASHES
aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868
59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983
3CXDESKTOPAPP MACOS SHA256 HASHES
92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61
b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb
a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67
3CXDESKTOPAPP MACOS DMG INSTALLER HASHES
5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290
e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec
Share on Twitter
Share on LinkedIn
Share on Facebook
Share on Reddit
JOHN HAMMOND
Threat hunter. Education enthusiast. Senior Security Researcher at Huntress.
YOU MAY ALSO LIKE
Joe Slowik 03.31.2023 10 min read
CONTEXTUALIZING EVENTS & ENABLING DEFENSE: WHAT 3CX MEANS
In this blog, we contextualize the events and talk about enabling defense from
the 3CX ...
Start Reading
John Hammond 03.30.2023 14 min read
3CX VOIP SOFTWARE COMPROMISE & SUPPLY CHAIN THREATS
The 3CX VoIP Desktop Application has been compromised to deliver malware via
legitimate ...
Start Reading
Team Huntress 03.16.2023 6 min read
ADDRESSING INITIAL ACCESS
Series of blog posts that share the breadth and depth of Huntress’ experience to
assist ...
Start Reading
Hackers are constantly evolving, exploiting new vulnerabilities and dwelling in
SMB environments—until they meet Huntress.
LinkedIn Twitter Facebook YouTube BizRatings
* Platform
* Platform Overview
* For MSPs
* For VARs
* Free Trial
* Resources
* Cybersecurity Education
* Blog
* Events
* Careers
Sign Up for Blog Updates
Work Email (required)*
© 2023 Huntress - All rights reserved
* Terms of Use
* Privacy Policy