Top Ten ATT&CK Techniques: The Rise of ‘Hunter-Killer’ Malware
Read More
Huseyin Can YUCEEL | March 31, 2023
On March 29, 2023, CrowdStrike disclosed that 3CXDesktopApp, a popular softphone application from 3CX, was compromised as a part of a supply chain attack [1]. Adversaries were able to trojanize a legitimate and signed binary 3CXDesktopApp for their malicious activities. The attack, dubbed "SmoothOperator", was attributed to a North Korean APT group Labyrinth Chollima, a subset of the notorious Lazarus group.
Picus Labs added new attack simulations for 3CX Desktop App supply chain compromise and related second-stage payloads to Picus Threat Library. In this blog, we explained the malicious techniques used by Labyrinth Chollima and how to mitigate them.
Simulate Supply Chain Attacks with 14-Day Free Trial of Picus Platform
3CX is a software maker that specializes in enterprise communications, such as VoIP and PBX services. 3CX has more than 600,000 customers and 12 million users worldwide [2]. In the last week of March 2023, several security vendors and teams started to notice suspicious activity originating from 3CXDesktopApp. Further investigation showed that adversaries were able to compromise 3CX and trojanize 3CXDesktopApp Windows and macOS versions. Since the trojanized 3CXDesktopApp versions were signed by 3CX's digital certificate, users and security controls did not flag the binary as malware when downloaded or installed.
Supply chain attacks are emerging threats that target software developers and suppliers. The goal is to access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware [3]. |
This attack was named as SmoothOperator and attributed to Labyrinth Chollima, an APT group associated with the infamous North Korean threat group Lazarus. Earlier findings suggest that the SmoothOperator campaign has been in the making since February 2022. In March 2023, the APT group inserted malicious code into the 3CXDesktopApp binary, and unsuspecting users installed the tainted versions via direct downloads or updates. The affected versions of 3CXDesktopApp versions are given below. Although these versions are signed via 3CX's digital certificates, users are advised not to use these versions.
After installation, the compromised versions of 3CXDesktopApp contact adversary-control C2 servers and install an info stealer malware named ICONICSTEALER. This malware is used to steal sensitive data from compromised systems.
The SmoothOperator supply chain attack starts with the installation of the compromised 3CXDesktopApp. The 3CXDesktopApp application is available for major operating systems such as Windows, macOS, and Linux. The application can be downloaded from 3CX's website, and it offers an auto-update feature. Therefore, many users and organizations may be affected and unaware of the malware-laced versions of 3CXDesktopApp.
Figure 1: Execution Flow of SmoothOperator Supply Chain Attack [4]
We also strongly suggest simulating SmoothOperator attacks to test the effectiveness of your security controls against supply chain attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against other notable supply chain attacks, such as SolarWinds Attacks (aka SUNBURST), within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for SmoothOperator 3CXDesktopApp Supply Chain Attacks:
Threat ID |
Threat Name |
Attack Module |
64221 |
3CX Supply Chain Campaign Malware Download Threat |
Network Infiltration |
58270 |
3CX Supply Chain Campaign Malware Email Threat |
Email Infiltration (Phishing) |
Moreover, Picus Threat Library contains 300+ threats containing 3000+ web application and vulnerability exploitation attacks in addition to 1500+ endpoint, 8000+ malware, email and data exfiltration threats as of today.
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address 3CXDesktopApp Supply Chain Attacks and other supply chain attacks in preventive security controls. Currently, Picus Labs validated the following signatures for 3CXDesktopApp Supply Chain Attacks:
Security Control |
Signature ID |
Signature Name |
Forcepoint NGFW |
|
File_Malware-Blocked |
Fortigate AV |
10131498 |
Riskware/Sphone_XC3 |
Fortigate AV |
10131470 |
W64/Agent.CFM!tr |
McAfee |
0x4840c900 |
MALWARE: Malicious File Detected by GTI |
Palo Alto NGFW |
577556802 |
Virus/Win32.WGeneric.dyeuam |
Palo Alto NGFW |
577527837 |
Virus/Win32.WGeneric.dyerjc |
Palo Alto NGFW |
577560180 |
Virus/Win32.WGeneric.dyeujy |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus The Complete Security Validation Platform.
References
[1] "// 2023-03-29 // SITUATIONAL AWARENESS // CrowdStrike Tracking Active Intrusion Campaign Targeting 3CX Customers //," reddit. [Online]. Available: https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/. [Accessed: Mar. 31, 2023]
[2] "Business Communication Solutions & Software," 3CX, Jan. 31, 2013. [Online]. Available: https://www.3cx.com/. [Accessed: Mar. 31, 2023]
[3] Dansimp, "Supply chain attacks." [Online]. Available: https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/supply-chain-malware. [Accessed: Mar. 31, 2023]
[4] "3CXDesktop App Supply Chain Attack," Check Point Software, Mar. 29, 2023. [Online]. Available: https://blog.checkpoint.com/2023/03/29/3cxdesktop-app-trojanizes-in-a-supply-chain-attack-check-point-customers-remain-protected/. [Accessed: Mar. 31, 2023]