www.mandiant.com
Open in
urlscan Pro
2606:4700:300b::a29f:f17d
Public Scan
URL:
https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise
Submission: On April 21 via api from TR — Scanned from DE
Submission: On April 21 via api from TR — Scanned from DE
Form analysis 2 forms found in the DOM
GET /search
<form action="/search" method="get">
<div class="js-form-item form-item js-form-type-textfield form-item-search js-form-item-search"> <label class="visually-hidden" for="edit-search">Search</label> <input data-drupal-selector="edit-search" type="text" id="edit-search" name="search"
value="" size="30" maxlength="128" class="form-text" placeholder="Search"></div>
<div data-drupal-selector="edit-actions" class="form-actions js-form-wrapper form-wrapper" id="edit-actions"> <button data-drupal-selector="edit-submit-acquia-search" type="submit" id="edit-submit-acquia-search"
class="button js-form-submit form-submit"> <span class="visually-hidden">Submit search form</span> <svg width="16" height="17" viewBox="0 0 16 17" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true">
<path d="M7.22574 13.9446C10.6622 13.9446 13.4481 11.1588 13.4481 7.72232C13.4481 4.28583 10.6622 1.5 7.22574 1.5C3.78925 1.5 1.00342 4.28583 1.00342 7.72232C1.00342 11.1588 3.78925 13.9446 7.22574 13.9446Z" stroke="currentColor"
stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<path d="M15.0001 15.4996L11.6167 12.1162" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
</svg> </button></div>
</form>GET /search
<form action="/search" method="get">
<div class="js-form-item form-item js-form-type-textfield form-item-search js-form-item-search"> <label class="visually-hidden" for="edit-search">Search</label> <input data-drupal-selector="edit-search" type="text" id="edit-search" name="search"
value="" size="30" maxlength="128" class="form-text" placeholder="Search"></div>
<div data-drupal-selector="edit-actions" class="form-actions js-form-wrapper form-wrapper" id="edit-actions"> <button data-drupal-selector="edit-submit-acquia-search" type="submit" id="edit-submit-acquia-search"
class="button js-form-submit form-submit"> <span class="visually-hidden">Submit search form</span> <svg width="16" height="17" viewBox="0 0 16 17" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true">
<path d="M7.22574 13.9446C10.6622 13.9446 13.4481 11.1588 13.4481 7.72232C13.4481 4.28583 10.6622 1.5 7.22574 1.5C3.78925 1.5 1.00342 4.28583 1.00342 7.72232C1.00342 11.1588 3.78925 13.9446 7.22574 13.9446Z" stroke="currentColor"
stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<path d="M15.0001 15.4996L11.6167 12.1162" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
</svg> </button></div>
</form>Text Content
Skip to main content
Mandiant is now part of Google Cloud. Learn More.
* Platform
* Solutions
* Intelligence
* Services
* Resources
* Company
MANDIANT ADVANTAGE
Explore our multi-vendor XDR platform, delivering Mandiant products and
integrating with a range of leading security operations technology.
Explore the platformarrow_forward
Start with free account
* Automated Defense
Rapid event investigation and remediation
* Attack Surface Management Free Subscription
Map your external environment
* Breach Analytics for Chronicle
Know what we know when we know it
* Security Validation
Validate controls are working properly
* Threat Intelligence Free Subscription
Access latest intel from the frontlines
* Digital Threat Monitoring
Visibility into deep, dark, and open web
* Managed Defense
Managed detection and response
MANDIANT SOLUTIONS
Solve your toughest cyber security challenges with combinations of products and
services.
* Featured solutionsarrow_forward
* By use casearrow_forward
* By industryarrow_forward
* Featured solutions
* Proactive Exposure Management New!
Reduce exposures before adversaries act
* Government New!
Protect national services and agencies
* Digital Risk Protection
Prioritize and focus on threats that matter
* Ransomware
Increase resilience against multifaceted extortion
* Relentless solutions
* Who is targeting us
Embed cyber threat intelligence
* How do attackers see us
Assess attack surface visibility
* Are we prepared
Anticipate threats for defense posture
* Are we compromised
Evaluate current state of cyber defenses
* Use Case
* Ransomware
Increase resilience against multifaceted extortion
* Cyber Risk Management
Advance your business approach to cyber security
* Digital Risk Protection
Prioritize and focus on threats that matter
* Industrial Controls
Strengthen OT and ICS security
* Insider Threats
Uncover and manage internal vulnerabilities
* Skills Gap
Close gaps with training and access to expertise
* Private Industry
* Finance New!
Extend your security posture and operationalize resilience
* Manufacturing New!
Protect against cyber security threats to maintain business continuity
* Government
* Election Security
Focus on Election Infrastructure Protection
* Government New!
Protect natural services and agencies
MANDIANT SERVICES
Mitigate threats, reduce risk, and get back to business with the help of leading
experts.
Learn morearrow_forward
View all services (47)arrow_forward
Schedule a consultation
* Featured categories
* Cyber Security Transformation
Establish and activate cyber defenses
* Incident Response
Tackle breaches confidently
* Strategic Readiness
Increase resilience to risk
* Technical Assurance
Test your security program
* Expertise On Demand
Access to Mandiant Experts
* Training
* Browse courses
Browse on-demand and live training
* Mandiant Academy
Train your teams to protect effectively
CYBER THREAT INTELLIGENCE
Mandiant specializes in cyber threat intelligence, offering products, services,
and more to support our mission to defend against cyber crime.
Intelligence resourcesarrow_forward
* Products
* Threat Intelligence Free Subscription
Access latest intel from the frontlines
* Digital Threat Monitoring
Visibility into deep, dark, and open web
* Services
* Intelligence Capability Development
Build a comprehensive threat intelligence program
* Intelligence Training
Develop practical application skills
* Executive Briefings
Get live, interactive briefings from the frontlines
* Advanced Intelligence Access
Hire a dedicated analyst for your needs
RESOURCE CENTER
Get the latest insights from cyber security experts at the frontlines of threat
intelligence and incident response
M-Trends 2023 reportarrow_forward
mWISEarrow_forward
View all resourcesarrow_forward
* Resource types
* Mandiant Blog
Expert perspectives and industry news
* Podcasts
Interviews, hot topics, and more
* Customer Stories
Case studies and customer testimonials
* Reports
Research from the frontlines
* Webinars
Livestreams and pre-recorded speaker events
* Insights
Cyber security concepts, methods, and more
* Events
Upcoming conferences and collaboration
* Infographics
Visualization of security research and process
* Datasheets
Information on Mandiant offerings and more
* eBooks
High-impact cyber security guides
* White Papers
Cyber security insights and technical expertise
COMPANY
Learn more about us and our mission to help organizations defend against cyber
crime.
Learn morearrow_forward
Contact us
* Careers
Life at Mandiant and open roles
* Noteholder and Preferred Shareholder Documents
* Media Center
Press releases and news mentions
* Partners
Ecosystem and resources
* Elevate
Empowering women in cyber security
* Mandiant Gives Back
Our commitment to a better future
* Create a free account
* Sign in to Advantage
en expand_more
* English
* Français
* Deutsch
* Italiano
* 日本
* 한국어
* Español
Start for Free
Search
Submit search form
Search
Submit search form
* Platform
* Mandiant Advantage Overview
* Automated Defense
* Breach Analytics for Chronicle
* Security Validation
* Attack Surface Management
* Threat Intelligence
* Digital Threat Monitoring
* Managed Defense
* Solutions
* Proactive Exposure Management
* Government
* Ransomware
* Who is targeting us
* How do attackers see us
* Are we prepared
* Are we compromised
* Cyber Risk Management
* Digital Risk Protection
* OT/ICS Security
* Insider Threats
* Cyber Security Skills Gap
* Financial Services Cyber Security
* Manufacturing
* Election Security
* Intelligence
* Services
* Services Overview
* Incident Response
* Strategic Readiness
* Cyber Security Transformation
* Technical Assurance
* View all Services (48)
* Mandiant Academy
* Find a Course
* Expertise On Demand
* Resources
* Resources
* Mandiant Blogs
* Customer Stories
* Webinars
* Events
* Podcasts
* Reports
* Insights
* Datasheets
* Infographics
* White Papers
* eBooks
* Company
* About Mandiant
* Careers
* Media Center
* Partners
* Elevate
* Mandiant Gives Back
* Noteholder and Preferred Shareholder Documents
* Mobile Footer Section
* See what’s new at Mandiant
* Get started
* Incident Response Help
* Contact Sales
* Support
* Sign In
* Create a Free Mandiant Advantage Account
TOP
* Incident Response
* Contact sales
* Support
* Advantage Free Trial
* Blog
* Support
* Contact us
* report_problemIncident Response Assistance
BREADCRUMB
1. Home
2. Resources
3. 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply
Chain Compromise; Suspected North Korean Actor Responsible
Blog
3CX SOFTWARE SUPPLY CHAIN COMPROMISE INITIATED BY A PRIOR SOFTWARE SUPPLY CHAIN
COMPROMISE; SUSPECTED NORTH KOREAN ACTOR RESPONSIBLE
Jeff Johnson, Fred Plan, Adrian Sanchez, Renato Fontana, Jake Nicastro, Dimiter
Andonov, Marius Fodoreanu, Daniel Scott
Apr 20, 2023
20 min read
Supply Chain
Malware
North Korea
In March 2023, Mandiant Consulting responded to a supply chain compromise that
affected 3CX Desktop App software. During this response, Mandiant identified
that the initial compromise vector of 3CX’s network was via malicious software
downloaded from Trading Technologies website. This is the first time Mandiant
has seen a software supply chain attack lead to another software supply chain
attack.
OVERVIEW
3CX Desktop App is enterprise software that provides communications for its
users including chat, video calls, and voice calls. In late March, 2023, a
software supply chain compromise spread malware via a trojanized version of
3CX’s legitimate software that was available to download from their website. The
affected software was 3CX DesktopApp 18.12.416 and earlier, which contained
malicious code that ran a downloader, SUDDENICON, which in turn received
additional command and control (C2) servers from encrypted icon files hosted on
GitHub. The decrypted C2 server was used to download a third stage identified as
ICONICSTEALER, a dataminer that steals browser information. Mandiant tracks this
activity as UNC4736, a suspected North Korean nexus cluster of activity.
Figure 1: 3CX software supply chain compromise linked to Trading Technologies
software supply chain compromise
SOFTWARE SUPPLY CHAIN EXPLOITATION EXPLAINED
Mandiant Consulting’s investigation of the 3CX supply chain compromise has
uncovered the initial intrusion vector: a malware-laced software package
distributed via an earlier software supply chain compromise that began with a
tampered installer for X_TRADER, a software package provided by Trading
Technologies (Figure 1). Mandiant determined that a complex loading process led
to the deployment of VEILEDSIGNAL, a multi-stage modular backdoor, and its
modules.
VEILEDSIGNAL BACKDOOR ANALYSIS
Mandiant Consulting identified an installer with the filename
X_TRADER_r7.17.90p608.exe (MD5: ef4ab22e565684424b4142b1294f1f4d) which led to
the deployment of a malicious modular backdoor: VEILEDSIGNAL.
Although the X_TRADER platform was reportedly discontinued in 2020, it was still
available for download from the legitimate Trading Technologies website in 2022.
This file was signed with the subject “Trading Technologies International, Inc”
and contained the executable file Setup.exe that was also signed with the same
digital certificate. The code signing certificate used to digitally sign the
malicious software was set to expire in October 2022.
The installer contains and executes Setup.exe which drops two trojanized DLLs
and a benign executable. Setup.exe uses the benign executable to side-load one
of the malicious DLLs. Side-loading relies on legitimate Windows executables to
load and execute a malicious file that has been disguised as a legitimate
dependency. The loaded malicious DLLs contains and uses SIGFLIP and DAVESHELL to
decrypt and load the payload into memory from the other dropped malicious
executable. SIGFLIP relies on RC4 stream-cipher to decrypt the payload of choice
and uses the byte sequence FEEDFACE to find the shellcode, in this case
DAVESHELL, during the decryption stage.
SIGFLIP and DAVESHELL extract and execute a modular backdoor, VEILEDSIGNAL, and
two corresponding modules. VEILEDSIGNAL relies on the two extracted modules for
process injection and communications with the Command and Control (C2) server.
VEILEDSIGNAL and the accompanying two components provide the following
functionality:
* The VEILEDSIGNAL backdoor supports three commands: send implant data, execute
shellcode, and terminate itself.
* The process injection module injects the C2 module in the first found process
instance of Chrome, Firefox, or Edge. It also monitors the named pipe and
reinjects the communication module if necessary.
* The C2 module creates a Windows named pipe and listens for incoming
communications, which it then sends to the C2 server encrypted with AES-256
in Galois Counter Mode (GCM).
The C2 configuration of the identified sample of VEILEDSIGNAL (MD5:
c6441c961dcad0fe127514a918eaabd4) relied on the following hard-coded URL:
www.tradingtechnologies[.]com/trading/order-management.
VEILEDSIGNAL SIMILARITIES AND CODE COMPARISON
The compromised X_TRADER and 3CXDesktopApp applications both contain, extract,
and run a payload in the same way, although the final payload is different.
Mandiant analyzed these samples and observed the following similarities:
* Usage of the same RC4 key 3jB(2bsG#@c7 in the SIGFLIP tool configuration to
encrypt and decrypt the payload.
* Usage of SIGFLIP, a publicly available project on GitHub leveraging
CVE-2013-3900 (MS13-098).
* Reliance on DAVESHELL, a publicly available open-source project that converts
PE-COFF files to position-independent code or shellcode and that leverages
reflective loading techniques to load the payload in memory.
* Use of the hardcoded cookie variable __tutma in the payloads.
* Both payloads encrypt data with AES-256 GCM cipher.
COMPROMISE OF THE 3CX BUILD ENVIRONMENT
The attacker used a compiled version of the publicly available Fast Reverse
Proxy project, to move laterally within the 3CX organization during the attack.
The file MsMpEng.exe (MD5: 19dbffec4e359a198daf4ffca1ab9165), was dropped in
C:\Windows\System32 by the threat actor.
Mandiant was able to reconstruct the attacker’s steps throughout the environment
as they harvested credentials and moved laterally. Eventually, the attacker was
able to compromise both the Windows and macOS build environments. On the Windows
build environment, the attacker deployed a TAXHAUL launcher and COLDCAT
downloader that persisted by performing DLL side-loading through the IKEEXT
service and ran with LocalSystem privileges. The macOS build server was
compromised with POOLRAT backdoor using Launch Daemons as a persistence
mechanism.
Previous reporting mentioned the macOS build server was compromised with
SIMPLESEA. Mandiant Intelligence completed analysis of the sample and determined
it to be the backdoor POOLRAT instead of a new malware family.
THREAT ACTOR SPOTLIGHT: UNC4736
UNC4736 demonstrates varying degrees of overlap with multiple North Korean
operators tracked by Mandiant Intelligence, especially with those involved in
financially-motivated cybercrime operations. These clusters have demonstrated a
sustained focus on cryptocurrency and fintech-related services over time.
Mandiant assesses with moderate confidence that UNC4736 is related to
financially motivated North Korean “AppleJeus” activity as reported by CISA.
This is further corroborated with findings from Google TAG who reported the
compromise of www.tradingtechnologies[.]com in February 2022, preceding the
distribution of compromised X_TRADER updates from the site.
* TAG reported on a cluster of North Korean activity exploiting a remote code
execution vulnerability in Chrome, CVE-2022-0609, and identified it as
overlapping with “AppleJeus” targeting cryptocurrency services.
* The site www.tradingtechnologies[.]com was compromised and hosting a hidden
IFRAME to exploit visitors, just two months before the site was known to
deliver a trojanized X_TRADER software package.
* Within the 3CX environment, Mandiant identified the POOLRAT backdoor using
journalide[.]org as its configured C2 server.
* An older sample of POOLRAT (MD5: 451c23709ecd5a8461ad060f6346930c) was
previously reported by CISA as part of the trojanized CoinGoTrade application
used in the AppleJeus operation (Figure 2).
* The older sample’s infrastructure also has ties to another trojanized
trading application, JMT Trading, also tracked under AppleJeus.
Figure 2: POOLRAT Link to CoinGoTrade and JMT Trading Activity
Weak infrastructure overlap was also identified between UNC4736 and two clusters
of suspected APT43 activity, UNC3782 and UNC4469.
* DNS resolutions reveal infrastructure overlap between UNC4736 and activity
linked to APT43 with moderate confidence (Tables 1 – 3)
* APT43 frequently targets cryptocurrency users and related services,
highlighting such campaigns are widespread across North Korea-nexus cyber
operators.
Table 1: Resolutions for IP 89.45.67.160
Date
Domain
UNC
2022-12-20
curvefinances[.]com
UNC4469
2022-12-29
pbxphonenetwork[.]com
UNC4736
Table 2: Resolutions for IP 172.93.201.88
Date
Domain
UNC
2022-04-08
journalide[.]org
UNC4736
2021-11-26
nxmnv[.]site
UNC3782
Table 3: Resolutions for IP 185.38.151[.]11
Date
Domain
UNC
2023-01-09
msedgepackageinfo[.]com
UNC4736
2023-03-22
apollo-crypto.org.shilaerc20[.]com
UNC4469
OUTLOOK AND IMPLICATIONS
The identified software supply chain compromise is the first we are aware of
which has led to a cascading software supply chain compromise. It shows the
potential reach of this type of compromise, particularly when a threat actor can
chain intrusions as demonstrated in this investigation. Research on UNC4736
activity suggests that it is most likely linked to financially motivated North
Korean threat actors. Cascading software supply chain compromises demonstrate
that North Korean operators can exploit network access in creative ways to
develop and distribute malware, and move between target networks while
conducting operations aligned with North Korea’s interests.
MALWARE DEFINITIONS
ICONICSTEALER
ICONICSTEALER is a C/C++ data miner that collects application configuration data
as well as browser history.
DAVESHELL
DAVESHELL is shellcode that functions as an in-memory dropper. Its embedded
payload is mapped into memory and executed.
SIGFLIP
SigFlip is a tool for patching authenticode signed PE-COFF files to inject
arbitrary code without affecting or breaking the file's signature.
POOLRAT
POOLRAT is a C/C++ macOS backdoor capable of collecting basic system information
and executing commands. The commands performed include running arbitrary
commands, secure deleting files, reading and writing files, updating the
configuration.
TAXHAUL
TAXHAUL is a DLL that, when executed, decrypts a shellcode payload expected at
C:\Windows\System32\config\TxR\<machine hardware profile
GUID>.TxR.0.regtrans-ms. Mandiant has seen TAXHAUL persist via DLL side loading.
COLDCAT
COLDCAT is a complex downloader. COLDCAT generates unique host identifier
information, and beacons it to a C2 that is specified in a separate file via
POST request with the data in the cookie header. After a brief handshake, the
malware expects base64 encoded shellcode to execute in response.
VEILEDSIGNAL
VEILEDSIGNAL is a backdoor written in C that is able to execute shellcode and
terminate itself. Additionally, VEILEDSIGNAL relies on additional modules that
connect via Windows named pipes to interact with the Command and Control(C2)
infrastructure.
ACKNOWLEDGMENTS
Special thanks to Michael Bailey, Willi Ballenthin, Michael Barnhart, and Jakub
Jozwiak for their collaboration and review. Mandiant would also like to thank
the Google Threat Analysis Group (TAG) and Microsoft Threat Intelligence Center
(MSTIC) for their collaboration in this research.
TECHNICAL ANNEX: MITRE ATT&CK
Resource Development
* T1588 Obtain Capabilities
* T1588.004 Digital Certificates
* T1608 Stage Capabilities
* T1608.003 Install Digital Certificate
Initial Access
* T1190 Exploit Public-Facing Application
* T1195 Supply Chain Compromise
* T1195.002 Compromise Software Supply Chain
Persistence
* T1574 Hijack Execution Flow
* T1574.002 DLL Side-Loading
Privilege Escalation
* T1055 Process Injection
* T1574 Hijack Execution Flow
* T1574.002 DLL Side-Loading
Defense Evasion
* T1027 Obfuscated Files or Information
* T1036 Masquerading
* T1036.001 Invalid Code Signature
* T1055 Process Injection
* T1070 Indicator Removal
* T1070.001 Clear Windows Event Logs
* T1070.004 File Deletion
* T1112 Modify Registry
* T1140 Deobfuscate/Decode Files or Information
* T1497 Virtualization/Sandbox Evasion
* T1497.001 System Checks
* T1574 Hijack Execution Flow
* T1574.002 DLL Side-Loading
* T1620 Reflective Code Loading
* T1622 Debugger Evasion
Discovery
* T1012 Query Registry
* T1082 System Information Discovery
* T1083 File and Directory Discovery
* T1497 Virtualization/Sandbox Evasion
* T1497.001 System Checks
* T1614 System Location Discovery
* T1614.001 System Language Discovery
* T1622 Debugger Evasion
Command and Control
* T1071 Application Layer Protocol
* T1071.001 Web Protocols
* T1071.004 DNS
* T1105 Ingress Tool Transfer
* T1573 Encrypted Channel
* T1573.002 Asymmetric Cryptography
Impact
* T1565 Data Manipulation
* T1565.001 Stored Data Manipulation
TECHNICAL ANNEX: DETECTION RULES
YARA RULES
rule M_Hunting_3CXDesktopApp_Key {
meta:
disclaimer = "This rule is meant for hunting and is not tested to run in a
production environment"
description = "Detects a key found in a malicious 3CXDesktopApp file"
md5 = "74bc2d0b6680faa1a5a76b27e5479cbc"
date = "2023/03/29"
version = "1"
strings:
$key = "3jB(2bsG#@c7" wide ascii
condition:
$key
}
rule M_Hunting_3CXDesktopApp_Export {
meta:
disclaimer = "This rule is meant for hunting and is not tested to run in a
production environment"
description = "Detects an export used in 3CXDesktopApp malware"
md5 = "7faea2b01796b80d180399040bb69835"
date = "2023/03/31"
version = "1"
strings:
$str1 = "DllGetClassObject" wide ascii
$str2 = "3CXDesktopApp" wide ascii
condition:
all of ($str*)
}
rule TAXHAUL
{
meta:
author = "Mandiant"
created = "04/03/2023"
modified = "04/03/2023"
version = "1.0"
strings:
$p00_0 = {410f45fe4c8d3d[4]eb??4533f64c8d3d[4]eb??4533f64c8d3d[4]eb}
$p00_1 = {4d3926488b01400f94c6ff90[4]41b9[4]eb??8bde4885c074}
condition:
uint16(0) == 0x5A4D and any of them
}
rule M_Hunting_MSI_Installer_3CX_1
{
meta:
author = "Mandiant"
md5 = "0eeb1c0133eb4d571178b2d9d14ce3e9, f3d4144860ca10ba60f7ef4d176cc736"
strings:
$ss1 = { 20 00 5F 64 33 64 63 6F 6D 70 69 6C 65 72 5F 34 37 2E 64 6C 6C 5F }
$ss2 = { 20 00 5F 33 43 58 44 65 73 6B 74 6F 70 41 70 70 2E }
$ss3 = { 20 00 5F 66 66 6D 70 65 67 2E 64 6C 6C 5F }
$ss4 = "3CX Ltd1" ascii
$sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 }
$sc2 = "202303" ascii
condition:
(uint32(0) == 0xE011CFD0) and filesize > 90MB and filesize < 105MB and all of
them
}
rule M_Hunting_TAXHAUL_Hash_1
{
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a
production environment"
description = "Rule looks for hardcoded value used in string hashing algorithm
observed in instances of TAXHAUL."
md5 = "e424f4e52d21c3da1b08394b42bc0829"
strings:
$c_x64 = { 25 A3 87 DE [4-20] 25 A3 87 DE [4-20] 25 A3 87 DE }
condition:
filesize < 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550
and any of them
}
rule M_Hunting_SigFlip_SigLoader_Native
{
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a
production environment"
description = "Rule looks for strings present in SigLoader (Native)"
md5 = "a3ccc48db9eabfed7245ad6e3a5b203f"
strings:
$s1 = "[*]: Basic Loader..." ascii wide
$s2 = "[!]: Missing PE path or Encryption Key..." ascii wide
$s3 = "[!]: Usage: %s <PE_PATH> <Encryption_Key>" ascii wide
$s4 = "[*]: Loading/Parsing PE File '%s'" ascii wide
$s5 = "[!]: Could not read file %s" ascii wide
$s6 = "[!]: '%s' is not a valid PE file" ascii wide
$s7 = "[+]: Certificate Table RVA %x" ascii wide
$s8 = "[+]: Certificate Table Size %d" ascii wide
$s9 = "[*]: Tag Found 0x%x%x%x%x" ascii wide
$s10 = "[!]: Could not locate data/shellcode" ascii wide
$s11 = "[+]: Encrypted/Decrypted Data Size %d" ascii wide
condition:
filesize < 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550
and 4 of ($s*)
}
rule M_Hunting_Raw64_DAVESHELL_Bootstrap
{
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a
production environment"
description = "Rule looks for bootstrap shellcode (64 bit) present in DAVESHELL"
md5 = "8a34adda5b981498234be921f86dfb27"
strings:
$b6ba50888f08e4f39b43ef67da27521dcfc61f1e = { E8 00 00 00 00 59 49 89 C8 48 81
C1 ?? ?? ?? ?? BA ?? ?? ?? ?? 49 81 C0 ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? 56 48 89 E6
48 83 E4 F0 48 83 EC 30 C7 44 24 20 ?? ?? ?? ?? E8 ?? 00 00 00 48 89 F4 5E C3 }
$e32abbe82e1f957fb058c3770375da3bf71a8cab = { E8 00 00 00 00 59 49 89 C8 BA ??
?? ?? ?? 49 81 C0 ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? 56 48 89 E6 48 83 E4 F0 48 83 EC
30 48 89 4C 24 28 48 81 C1 ?? ?? ?? ?? C7 44 24 20 ?? ?? ?? ?? E8 ?? 00 00 00 48
89 F4 5E C3 }
condition:
filesize < 15MB and any of them
}
rule M_Hunting_MSI_Installer_3CX_1
{
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a
production environment"
description = "This rule looks for hardcoded values within the MSI installer
observed in strings and signing certificate"
md5 = "0eeb1c0133eb4d571178b2d9d14ce3e9"
strings:
$ss1 = { 20 00 5F 64 33 64 63 6F 6D 70 69 6C 65 72 5F 34 37 2E 64 6C 6C 5F }
$ss2 = { 20 00 5F 33 43 58 44 65 73 6B 74 6F 70 41 70 70 2E }
$ss3 = { 20 00 5F 66 66 6D 70 65 67 2E 64 6C 6C 5F }
$ss4 = "3CX Ltd1" ascii
$sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 }
$sc2 = "202303" ascii
condition:
(uint32(0) == 0xE011CFD0) and filesize > 90MB and filesize < 100MB and all of
them
}
rule M_Hunting_VEILEDSIGNAL_1
{
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a
production environment"
md5 = "404b09def6054a281b41d309d809a428, c6441c961dcad0fe127514a918eaabd4"
strings:
$rh1 = { 68 5D 7A D2 2C 3C 14 81 2C 3C 14 81 2C 3C 14 81 77 54 10 80 26 3C 14 81
77 54 17 80 29 3C 14 81 77 54 11 80 AB 3C 14 81 D4 4C 11 80 33 3C 14 81 D4 4C 10
80 22 3C 14 81 D4 4C 17 80 25 3C 14 81 77 54 15 80 27 3C 14 81 2C 3C 15 81 4B 3C
14 81 94 4D 1D 80 28 3C 14 81 94 4D 14 80 2D 3C 14 81 94 4D 16 80 2D 3C 14 81 }
$rh2 = { 00 E5 A0 2B 44 84 CE 78 44 84 CE 78 44 84 CE 78 1F EC CA 79 49 84 CE 78
1F EC CD 79 41 84 CE 78 1F EC CB 79 C8 84 CE 78 BC F4 CA 79 4A 84 CE 78 BC F4 CD
79 4D 84 CE 78 BC F4 CB 79 65 84 CE 78 1F EC CF 79 43 84 CE 78 44 84 CF 78 22 84
CE 78 FC F5 C7 79 42 84 CE 78 FC F5 CE 79 45 84 CE 78 FC F5 CC 79 45 84 CE 78}
$rh3 = { DA D2 21 22 9E B3 4F 71 9E B3 4F 71 9E B3 4F 71 C5 DB 4C 70 94 B3 4F 71
C5 DB 4A 70 15 B3 4F 71 C5 DB 4B 70 8C B3 4F 71 66 C3 4B 70 8C B3 4F 71 66 C3 4C
70 8F B3 4F 71 C5 DB 49 70 9F B3 4F 71 66 C3 4A 70 B0 B3 4F 71 C5 DB 4E 70 97 B3
4F 71 9E B3 4E 71 F9 B3 4F 71 26 C2 46 70 9F B3 4F 71 26 C2 B0 71 9F B3 4F 71 9E
B3 D8 71 9F B3 4F 71 26 C2 4D 70 9F B3 4F 71 }
$rh4 = { CB 8A 35 66 8F EB 5B 35 8F EB 5B 35 8F EB 5B 35 D4 83 5F 34 85 EB 5B 35
D4 83 58 34 8A EB 5B 35 D4 83 5E 34 09 EB 5B 35 77 9B 5E 34 92 EB 5B 35 77 9B 5F
34 81 EB 5B 35 77 9B 58 34 86 EB 5B 35 D4 83 5A 34 8C EB 5B 35 8F EB 5A 35 D3 EB
5B 35 37 9A 52 34 8C EB 5B 35 37 9A 58 34 8E EB 5B 35 37 9A 5B 34 8E EB 5B 35 37
9A 59 34 8E EB 5B 35 }
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 1 of ($rh*)
}
rule M_Hunting_VEILEDSIGNAL_2
{
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a
production environment"
md5 = "404b09def6054a281b41d309d809a428"
strings:
$sb1 = { C1 E0 05 4D 8? [2] 33 D0 45 69 C0 7D 50 BF 12 8B C2 41 FF C2 C1 E8 07
33 D0 8B C2 C1 E0 16 41 81 C0 87 D6 12 00 }
$si1 = "CryptBinaryToStringA" fullword
$si2 = "BCryptGenerateSymmetricKey" fullword
$si3 = "CreateThread" fullword
$ss1 = "ChainingModeGCM" wide
$ss2 = "__tutma" fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and
(uint16(uint32(0x3C)+0x18) == 0x020B) and all of them
}
rule M_Hunting_VEILEDSIGNAL_3
{
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a
production environment"
md5 = "c6441c961dcad0fe127514a918eaabd4"
strings:
$ss1 = { 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6A 73 6F 6E 2C 20 74 65 78 74 2F 6A
61 76 61 73 63 72 69 70 74 2C 20 2A 2F 2A 3B 20 71 3D 30 2E 30 31 00 00 61 63 63
65 70 74 00 00 65 6E 2D 55 53 2C 65 6E 3B 71 3D 30 2E 39 00 00 61 63 63 65 70 74
2D 6C 61 6E 67 75 61 67 65 00 63 6F 6F 6B 69 65 00 00 }
$si1 = "HttpSendRequestW" fullword
$si2 = "CreateNamedPipeW" fullword
$si3 = "CreateThread" fullword
$se1 = "DllGetClassObject" fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and
(uint16(uint32(0x3C)+0x18) == 0x020B) and all of them
}
rule M_Hunting_VEILEDSIGNAL_4
{
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a
production environment"
md5 = "404b09def6054a281b41d309d809a428, c6441c961dcad0fe127514a918eaabd4"
strings:
$sb1 = { FF 15 FC 76 01 00 8B F0 85 C0 74 ?? 8D 50 01 [6-16] FF 15 [4] 48 8B D8
48 85 C0 74 ?? 89 ?? 24 28 44 8B CD 4C 8B C? 48 89 44 24 20 }
$sb2 = { 33 D2 33 C9 FF 15 [4] 4C 8B CB 4C 89 74 24 28 4C 8D 05 [2] FF FF 44 89
74 24 20 33 D2 33 C9 FF 15 }
$si1 = "CreateThread" fullword
$si2 = "MultiByteToWideChar" fullword
$si3 = "LocalAlloc" fullword
$se1 = "DllGetClassObject" fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and
(uint16(uint32(0x3C)+0x18) == 0x020B) and all of them
}
rule M_Hunting_VEILEDSIGNAL_5
{
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a
production environment"
md5 = "6727284586ecf528240be21bb6e97f88"
strings:
$sb1 = { 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D 15 [4] 48 8D 4C 24
4C E8 [4] 85 C0 74 ?? 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D [3]
48 8B CB FF 15 [4] EB }
$ss1 = "chrome.exe" wide fullword
$ss2 = "firefox.exe" wide fullword
$ss3 = "msedge.exe" wide fullword
$ss4 = "\\\\.\\pipe\\*" ascii fullword
$ss5 = "FindFirstFileA" ascii fullword
$ss6 = "Process32FirstW" ascii fullword
$ss7 = "RtlAdjustPrivilege" ascii fullword
$ss8 = "GetCurrentProcess" ascii fullword
$ss9 = "NtWaitForSingleObject" ascii fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and
(uint16(uint32(0x3C)+0x18) == 0x020B) and all of them
}
rule M_Hunting_VEILEDSIGNAL_6
{
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a
production environment"
md5 = "00a43d64f9b5187a1e1f922b99b09b77"
strings:
$ss1 = "C:\\Programdata\\" wide
$ss2 = "devobj.dll" wide fullword
$ss3 = "msvcr100.dll" wide fullword
$ss4 = "TpmVscMgrSvr.exe" wide fullword
$ss5 = "\\Microsoft\\Windows\\TPM" wide fullword
$ss6 = "CreateFileW" ascii fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and
(uint16(uint32(0x3C)+0x18) == 0x010B) and all of them
}
rule M_Hunting_POOLRAT
{
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a
production environment"
description = "Detects strings found in POOLRAT. "
md5 = "451c23709ecd5a8461ad060f6346930c"
strings:
$hex1 = { 6e 61 6d 65 3d 22 75 69 64 22 25 73 25 73 25 75 25 73 }
$hex_uni1 = { 6e 00 61 00 6d 00 65 00 3d 00 22 00 75 00 69 00 64 00 22 00 25 00
73 00 25 00 73 00 25 00 75 00 25 00 73 }
$hex2 = { 6e 61 6d 65 3d 22 73 65 73 73 69 6f 6e 22 25 73 25 73 25 75 25 73 }
$hex_uni2 = { 6e 00 61 00 6d 00 65 00 3d 00 22 00 73 00 65 00 73 00 73 00 69 00
6f 00 6e 00 22 00 25 00 73 00 25 00 73 00 25 00 75 00 25 00 73 }
$hex3 = { 6e 61 6d 65 3d 22 61 63 74 69 6f 6e 22 25 73 25 73 25 73 25 73 }
$hex_uni3 = { 6e 00 61 00 6d 00 65 00 3d 00 22 00 61 00 63 00 74 00 69 00 6f 00
6e 00 22 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 }
$hex4 = { 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 25 73 25 73 25 75 25 73 }
$hex_uni4 = { 6e 00 61 00 6d 00 65 00 3d 00 22 00 74 00 6f 00 6b 00 65 00 6e 00
22 00 25 00 73 00 25 00 73 00 25 00 75 00 25 00 73 }
$str1 = "--N9dLfqxHNUUw8qaUPqggVTpX-" wide ascii nocase
condition:
any of ($hex*) or any of ($hex_uni*) or $str1
}
rule M_Hunting_FASTREVERSEPROXY
{
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a
production environment"
md5 = "19dbffec4e359a198daf4ffca1ab9165"
strings:
$ss1 = "Go build ID:" fullword
$ss2 = "Go buildinf:" fullword
$ss3 = "net/http/httputil.(*ReverseProxy)." ascii
$ss4 = "github.com/fatedier/frp/client" ascii
$ss5 = "\"server_port\"" ascii
$ss6 = "github.com/armon/go-socks5.proxy" ascii
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them
}
SNORT RULES
alert tcp any any -> any any (msg:"Possible malicious 3CXDesktopApp Identified";
content:"raw.githubusercontent.com/IconStorages/images/main/"; threshold:type
limit, track by_src, count 1, seconds 3600; sid: 99999999;)
alert tcp any any -> any any (msg:"Possible malicious 3CXDesktopApp Identified";
content:"3cx_auth_id=%s\;3cx_auth_token_content=%s\;__tutma=true";
threshold:type limit, track by_src, count 1, seconds 3600; sid: 99999999;)
alert tcp any any -> any any (msg:"Possible malicious 3CXDesktopApp Identified";
content:"__tutma"; threshold:type limit, track by_src, count 1, seconds 3600;
sid: 99999999;)
alert tcp any any -> any any (msg:"Possible malicious 3CXDesktopApp Identified";
content:"__tutmc"; threshold:type limit, track by_src, count 1, seconds 3600;
sid: 99999999;)
MANDIANT SECURITY VALIDATION
Organizations can validate their security controls using the following actions
with Mandiant Security Validation.
VID
Name
A106-319
Command and Control - UNC4736, DNS Query, Variant #1
A106-321
Command and Control - UNC4736, DNS Query, Variant #2
A106-323
Command and Control - UNC4736, DNS Query, Variant #3
A106-324
Host CLI - UNC4736, 3CX Run Key, Registry Modification
A106-322
Malicious File Transfer - UNC4736, SUDDENICON, Download, Variant #1
S100-272
Evaluation: UNC4736 Conducting Supply Chain Attack Targeting 3CX Phone
Management System
Link to RSS feed
HAVE QUESTIONS? LET'S TALK.
Mandiant experts are ready to answer your questions.
Contact Us
* Follow us
*
*
*
*
FOOTER
* Mandiant Advantage Platform
* Platform Overview
* Automated Defense
* Breach Analytics for Chronicle
* Security Validation
* Attack Surface Management
* Threat Intelligence
* Digital Threat Monitoring
* Managed Defense
* Solutions
* Proactive Exposure Management
* Ransomware
* Industrial Controls & OT
* Cyber Risk Management
* Digital Risk Protection
* Insider Threats
* Cyber Security Skills Gap
* Election Security
* Government Cyber Security
* Manufacturing
* Cyber Threat Visibility
* Attack Surface Visibility
* Cyber Preparedness
* Detection and Response
* Financial Services Cyber Security
* Services
* Services Overview
* Incident Response
* Strategic Readiness
* Cyber Security Transformation
* Technical Assurance
* View all Services (48)
* Expertise on Demand
* Mandiant Academy
* Overview
* Education Formats
* Upcoming Courses
* On-Demand Courses
* Certifications
* ThreatSpace Cyber Range
* Free Course Sneak Peaks
* Resources
* Resource Center
* Blog
* Podcasts
* Customer Stories
* Reports
* Webinars
* Insights
* eBooks
* Infographics
* White Papers
* Datasheets
* Company
* About Us
* Careers
* Events
* Media Center
* Noteholder and Preferred Shareholder Documents
* Partners
* Partners Overview
* Technology Partners
* Cyber Risk Partners
* Service Partners
* Channel Partners
* Partner Portal
* Connect with Mandiant
* Contact Us
* Report an Incident
* Customer Support
* Email Preferences
* Customer Success
* Media Inquiries
© Copyright 2023 Mandiant. All rights reserved.
BOTTOM
* Website Privacy Policy
* Terms & Conditions
* Compliance
* Site Map
By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts. Privacy Policy
Cookies Settings Reject All Accept All Cookies
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
REQUIRED COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Back Button
PERFORMANCE COOKIES
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Reject All Confirm My Choices