On March 29, 2023, CrowdStrike announced that a threat group based in North Korea launched a supply chain attack through 3CX DesktopApp. [1] With this app, the threat actor installed an Infostealer in the target system.
AhnLab Security Emergency response Center (ASEC) previously announced a 3CX DesktopApp supply chain attack in the following blog post alongside mitigation measures. [2] This post will provide an analysis of the malware used in the attacks and logs of their infection in Korea collected via AhnLab Smart Defense (ASD).
Logs Recorded in Korea
Below are logs recorded in AhnLab’s ASD before the supply chain attack became known. An installation log of 3CX Electron Windows App version 18.12.407 was recorded on March 9, and an installation log of version 18.12.416 was recorded on March 15. The target was identified to be a university in Korea.
Figure 1. Installation logs recorded in AhnLab’s ASDMalware AnalysisThe threat actor targeted Windows and MAC users. For this, they inserted malware into the 3CX DesktopApp installation file for Windows and MAC. When a user installs the installation file, the malware that was encoded and saved inside the file operates in the memory and installs additional malware.
Windows
An MSI installer is the installation file for Windows, and the files “ffmpeg.dll” and “d3dcompiler_47.dll” inside are the actual malware. “3CXDesktopApp.exe”, which is executed after installation, loads the file “ffmpeg.dll” in the same directory. “Ffmpeg.dll” is disguised as a normal file but is actually a loader responsible for reading and decrypting “d3dcompiler_47.dll” before executing it in the memory. “d3dcompiler_47.dll” is also a normal file, but it contains encoded data at the end.
Figure 2. Flow chart
“Ffmpeg.dll” looks for the signature “FE ED FA CE FE ED FA CE” in “d3dcompiler_47.dll”, which contains encoded data. When the encoded data is decrypted, a shell code can be found, which executes a downloader in the memory.
Figure 3. Encoded data inserted into d3dcompiler_47.dll
The downloader downloads an ico file from a GitHub address. The URL is as follows, and a random file from icon1.ico to icon15.ico is selected and used.
- Download URL: hxxps://raw.githubusercontent[.]com/IconStorages/images/main/icon[숫자].ico
At the time of analysis, these files could not be downloaded, but the ico files known to have been used in the attacks are as follows.
Figure 4. ico files known to have been used in the attacksThe actual C&C server addresses are encoded at the end of these ico files, and decrypting these reveals the actual C&C server addresses. The downloader looks for the signature “$” at the end of the downloaded ico file before finding and decrypting the encoded string
,
Figure 5. Encoded data inserted at the end of the ico file
Figure 6. Decrypted C&C address
Aside from “icon0.ico” which contains a normal URL and considering the fact that “icon10.ico” and “icon11.ico” are the same, there are a total of 14 C&C server addresses among the 16 ico files. The downloader can connect to the decrypted address and download and execute additional malware. It is known to have installed an Infostealer this way. [3]
MAC
For MAC environments, the threat actor inserted the malware into a DMG installation file. Out of the shared library files within the installation file, libffmpeg.dylib contains an XOR-encoded C&C address.
Figure 7. Malware libffmpeg.dylib in the installerMost of the identified C&C addresses are the same as those found in the Windows version.
Figure 8. List of XOR-encoded C&C server addressesProduct versions used in the attacks and solutions can be viewed in the following blog post.
Detection Name
– Dropper/MSI.Agent (2023.03.31.00)
– Trojan/Win.Loader.C5403102 (2023.03.31.00)
– Trojan/Win.Agent.C5403110 (2023.03.31.00)
– Trojan/Win.Loader.C5403103 (2023.03.31.00)
– Data/BIN.Encoded (2023.04.03.03)
– Infostealer/Win.Agent.C5403954 (2023.04.02.00)
– Data/BIN.Encoded (2023.03.31.01)
– Trojan/OSX.Agent (2023.03.31.01)
– Trojan/OSX.Loader (2023.04.03.03)
IOC
SHA-256
– 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983 – MSI
– aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868 – MSI
– 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896 – ffmpeg.dll
– c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02 – ffmpeg.dll
– 11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03 – d3dcompiler.dll
– aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973 – Downloader
– 8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423 – InfoStealer
– 5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290 – DMG
– e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec – DMG
– fee4f9dabc094df24d83ec1a8c4e4ff573e5d9973caa676f58086c99561382d7 – libffmpeg.dylib
– a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67 – libffmpeg.dylib
– 5009c7d1590c1f8c05827122172583ddf924c53b55a46826abf66da46725505a – libffmpeg.dylib
– 87c5d0c93b80acf61d24e7aaf0faae231ab507ca45483ad3d441b5d1acebc43c – libffmpeg.dylib
Downloader URL
– hxxps://raw.githubusercontent[.]com/IconStorages/images/main/icon[Number].ico
C&C Addresses – Windows
– hxxps://msstorageazure[.]com/window
– hxxps://officestoragebox[.]com/api/session
– hxxps://visualstudiofactory[.]com/workload
– hxxps://azuredeploystore[.]com/cloud/services
– hxxps://msstorageboxes[.]com/office
– hxxps://officeaddons[.]com/technologies
– hxxps://sourceslabs[.]com/downloads
– hxxps://zacharryblogs[.]com/feed
– hxxps://pbxcloudeservices[.]com/phonesystem
– hxxps://akamaitechcloudservices[.]com/v2/storage
– hxxps://azureonlinestorage[.]com/azure/storage
– hxxps://msedgepackageinfo[.]com/microsoft-edge
– hxxps://glcloudservice[.]com/v1/console
– hxxps://pbxsources[.]com/exchange
C&C Addresses – MAC
– msstorageazure[.]com/analysis
– officestoragebox[.]com/api/biosync
– visualstudiofactory[.]com/groupcore
– azuredeploystore[.]com/cloud/images
– msstorageboxes[.]com/xbox
– officeaddons[.]com/quality
– sourceslabs[.]com/status
– zacharryblogs[.]com/xmlquery
– pbxcloudeservices[.]com/network
– pbxphonenetwork[.]com/phone
– akamaitechcloudservices[.]com/v2/fileapi
– azureonlinestorage[.]com/google/storage
– msedgepackageinfo[.]com/ms-webview
– glcloudservice[.]com/v1/status
– pbxsources[.]com/queue
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post 3CX DesktopApp Supply Chain Attack Also Detected in Korea appeared first on ASEC BLOG.
Article Link: 3CX DesktopApp Supply Chain Attack Also Detected in Korea - ASEC BLOG