3CXDesktopApp Backdoored in a Suspected Lazarus Campaign
2023-4-4 08:16:1 Author: blog.qualys.com(查看原文) 阅读量:38 收藏

Introduction

The attack involved a compromised version of the 3CX VoIP desktop client, which was used to target 3CX’s customers. The compromised 3CX application is a private automatic branch exchange (PABX) software and is available for Windows, macOS, Linux, Android, IOS and Chrome. Currently, there are reports of attacks for both Windows and macOS. 

The Qualys Threat Research Unit (TRU) is tracking a supply chain compromise in a popular VOIP desktop client by 3CX that is attributed to DPRK nation-state adversaries. The attack was reported in late March 2023 and is an ongoing investigation.  

Executive Summary

  • The North Korean state-sponsored group Labyrinth Chollima have been identified as the perpetrators behind the supply chain compromise of 3CXDesktopApp beta 18.12.407 and final 18.12.416 applications. The affected applications are signed and have valid signatures.  
  • The adversary infrastructure on GitHub used for staging the attack has now been taken down. This means that newer infections will not occur. However, the attack’s potential impact was significant, as the software is widely used by businesses around the world. 
  • To mitigate the risk, affected users are recommended to immediately uninstall the application and perform a full system scan to detect and remove any associated malware.  
  • This threat is being tracked as by MITRE as CVE-2023-29059 
Fig.1 Campaign flow 

Technical Summary 

Once the affected version of 3CX is installed or updated, it drops a compromised ffmpeg.dll as well as d3dcompiler_47.dll, which contains embedded shellcode. When 3CXDesktopApp starts, it sideloads the compromised ffmpeg.dll, which in turn decodes the embedded shellcode from d3dcompiler_47.dll and loads it. The shellcode accesses a GitHub repository and brings down icon files which contain encrypted C2 strings that the shellcode then decrypts and communicates to. The adversary has also deployed a previously unseen info stealer in the later stages of the attack and we have provided an analysis for it in later sections. This info stealer gathers system information and browser data from Chrome, Edge, Brave, and Firefox. This info stealer was likely meant to identify interesting targets for the operators. 

Existing customers of Qualys can follow the steps in the Detection and Protection sections to identify potential impacts. We also recommended that customers implement robust security measures, such as regular vulnerability assessments, patch management regular auditing of vendors. 

Overall, this supply chain attack highlights the importance of ensuring the security and integrity of the supply chain, as well as the need for businesses to remain vigilant and proactive in their security measures. 

Operating SystemHashFilename 
Windows aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868 3cxdesktopapp-18.12.407.msi 
Windows 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983 3cxdesktopapp-18.12.416.msi 
macOS 5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290 3CXDesktopApp-18.11.1213.dmg 
macOS e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec 3cxdesktopapp-latest.dmg 
Table.1 Details of the affected Applications 

Technical Analysis of Infection Stages 

First Stage Analysis 

The original MSI file which initiated the infection drops three files “3CXDesktopApp.exe”, “ffmpeg.dll”, and “d3dcompiler_47.dll”. 3CXDesktopApp.exe is the legitimate VOIP desktop application and is abused for side loading “ffmpeg.dll”.  

File Type MD5 SHA256 
DLL PE 64bits ffmpeg.dll 27B134AF30F4A86F177DB2F2555FE01D C485674EE63EC8D4E8FDE9800788175A8B02D3F9416D0E763360FFF7F8EB4E02 
DLL PE 64bits D3dcompiler_47.dll 82187AD3F0C6C225E2FBA0C867280CC9 11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03 
Table.2 Initial dropped samples 

Once “ffmpeg.dll” is loaded, it tries to enumerate the current directory for the second DLL “d3dcompiler_47.dll”. Once found, the “ffmpeg.dll” loads the second DLL into memory. 

Fig.2 ffmpeg enumerating current directory 

The “d3dcompiler_47.dll” DLL has an encrypted payload embedded in it. ffmpeg.dll tries to identify this payload using the signature “0xCEFAEDFE”. 

Fig.3 Embedded encrypted payload 

After the identification of the encrypted payload. “ffmpeg.dll” will try to decrypt it using the RC4 encryption scheme with the key “3jB(2bsG#@c7”. 

Fig.4 RC4 decryption

The decrypted payload is shown below. Also, a call to VirtualProtect() is made to give the PAGE_EXECUTE_READWRITE permissions for the payload to be executed. 

Fig.5 Decrypted payload 

The decrypted payload that is going to be executed contains another embedded DLL as shown below. The DLL is dumped from memory to perform more investigations on it. 

Fig.6 Dll loading by encrypted payload 

Second Stage Analysis 

The embedded DLL will mainly try to fetch malicious “ico” files from the GitHub Repository “https://raw[.]githubusercontent[.]com/IconStorages/images/main/icon%d[.]ico”. The repository contains multiple icon files that have Base64 and AES encrypted C2’s appended to them. The full list of decoded C2’s is listed in the IOC section. This repository has already been taken down.  Qualys TRU detected an info stealer involved in the infection chain and considers it as a later-stage payload. 

Fig. 7 GitHub repository  

Info Stealer Analysis 

File Type MD5 SHA256 SignatureCompilation Time
DLL PE 64bits 7FAEA2B01796B80D180399040BB69835 8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423 N/A Fri Mar 17 00:32:58 2023 
Table.4 Info stealer details 

The info stealer was deployed in the later stages of the infection chain and is a previously unseen sample. Its capabilities are mainly gathering system and browser information, including Chrome, Edge, Firefox, and Brave Browsers. 

Fig.8 Browser DB location 

The info stealer uses queries to fetch browsers history and data for Edge, SQLite database history for chrome and “Places” Table for Firefox. 

Fig.9 SQL queries for collection 

The info stealer also collects information on infected hosts, such as domain name, Hostname and OS Version, using NetWkstaGetInfo() API. Following locations are accessed by the information stealer: 

  • Google Chrome – AppData\Local\Google\Chrome\User Data 
  • Microsoft Edge – AppData\Local\Microsoft\Edge\User Data 
  • Brave Browser – AppData\Local\BraveSoftware\Brave-Browser\User Data 
  • Mozilla Firefox – AppData\Roaming\Mozilla\Firefox\Profiles 
Fig.10 System data collection -1
Fig.10 System data collection -2

Qualys Detection & Protection 

The first step in assessing the risk of this attack to an organization is understanding if this software is in use. Users of the Qualys Cyber Security Asset Management can quickly identify all installed software across their organization. For example, within seconds, you can use the below query to identify assets with instances of the 3CX Desktop Application. 

software:(name:”3CX Desktop App 18.12″) 

Fig.12 CSAM Software Search 

Qualys VMDR also has QID 378327 ready to detect assets which have the vulnerable version of the 3CXDesktopApp.exe file present on their machines. Qualys Vulnerability Management Detection and Response (VMDR) users can scan their environment with this QID to quickly detect impacted systems. Example output: 

Fig.13 VMDR QID 378327 details 

Alternatively, another option is to gather data from endpoints to hunt for the existence of the impacted software. Two such open-source scripts are available on GitHub. The 3cxIngectionHunter script will simply crawl the filesystem looking for instances of the infected ffmpeg.dll file and report back if there is a match to the malicious hash. The 3CXLocalDNSCacheHunter script will collect the local DNS cache and look for a match against some of the known URLs associated with this campaign. Using Qualys Custom Asset and Remediation, you can utilize the following PowerShell community scripts to identify potential infected assets by either copying the contents of the script manually or pointing the tool to the GitHub script directly to download.  

Fig.14 CAR Scripts 

Users of Custom Assessment and Remediation and Qualys Patch Management can also push scripts to uninstall the impacted software automatically. These scripts will be published to GitHub in the coming days.  An example output from a system that does not have a vulnerable version of ffmpeg.dll installed: 

Fig.15 CAR script output 

CAR can also be leveraged to remediate this vulnerability. You need to execute this uninstallation script provided by Qualys. This script checks for 3CX Desktop App’s vulnerable version 18.12.407.0 & 18.12.416.0 for Windows. If any of these versions are installed on the system, the script will attempt to uninstall the vulnerable application. 

Fig.16 CAR script for remediation 

You can also create dashboards for better visualization. 

Fig.17 CAR dashboard for 3CX 

Qualys Multi-Vector EDR customers are protected against this threat as both the installer and the beacon are detected and will be remediated. (Note: our instance was set to audit-only mode for analysis.) 

Fig.18 EPP Scan Results 
Fig.19 Epp Detection for shellcode loader 

Multi-Vector EDR customers can also hunt through telemetry, looking for behavior indicators to identify this threat activity. A first step would look for instances where the 3cxdesktopapp.exe process executed in the environment using a QQL Query of process.name:”3xcdesktopapp.exe”. Here you would want to look for evidence of the ffmpeg.dll file being loaded, which would be indicative that this machine may be impacted by this campaign.  

Fig.20 EDR Behavioral Detection Telemetry 
Fig.21 EDR Shellcode Loader Detection 
Fig.22 Loaded malicious ffmpeg.dll telemetry

While Qualys Endpoint Protection (EPP) users will be automatically protected by default, Qualys EDR-only customers can use the recently released auto-remediation feature to automatically take action.  

Conclusion 

Supply chain compromises are a growing concern for businesses, as they can lead to serious security breaches and financial losses. The attack was a multi-stage chain where attackers compromised a version of the 3CX VoIP desktop client, which was then used to target the company’s customers. This is reminiscent of the SolarWinds campaign that we examined back in December 2022. 

Organizations should take immediate steps to stop using the vulnerable version of the software, apply patches and monitor for anomalous behavior in 3CX processes. It is also essential to enable behavioral monitoring to detect the presence of such attacks within the system. 

MITRE TID Mapping

TacticTechnique IDTechnique Name   
Resource Development T1608.001 Stage Capabilities: Upload Malware 
Resource Development T1587.003 Develop Capabilities: Digital Certificates 
Initial Access  T1195.002 Supply Chain Compromise: Compromise Software Supply Chain 
Execution T1106 Native API 
Execution T1204.002 User Execution: Malicious File 
Defense Evasion T1140 Deobfuscate/Decode Files or Information 
Defense Evasion T1027 Obfuscated Files or Information 
Defense Evasion T1574.002  Hijack Execution Flow: DLL Side-Loading  
Defense Evasion T1553.002 Subvert Trust Controls: Code Signing 
Defense Evasion T1497.003 Virtualization/Sandbox Evasion: Time-Based Evasion 
Credential Access   T1555 Credentials from Password Stores   
Credential Access   T1539   Steal Web Session Cookie   
Command and Control T1132.001 Data Encoding: Standard Encoding 
Command and Control T1102.001 Web Service: Dead Drop Resolver 
Command and Control T1071 Application Layer Protocol 
Collection T1005 Data from Local System 
 Table.5 MITRE mapping

IOCS 

ffmpeg.dll 

C485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02 

7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896 

c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02 

d3dcompiler.dll 

11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03 

11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03 

Embedded dll 

F86A81B89C5FD4C98BC8616440FF0382505EC7942DA6D4F19EEE011E956434A8 

Trojanized 3cxDesktopApp 

Dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc 

Fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405 

92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61 

B86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb 

Infostealer dll 

Cad1120d91b812acafef7175f949dd1b09c6c21a 

7faea2b01796b80d180399040bb69835 

GitHub Repository 

raw[.]githubusercontent[.]com/IconStorages/images/main/ 

C2s 

akamaicontainer[.]com 

akamaitechcloudservices[.]com 

azuredeploystore[.]com 

azureonlinecloud[.]com 

azureonlinestorage[.]com 

dunamistrd[.]com 

glcloudservice[.]com 

journalide[.]org 

msedgepackageinfo[.]com 

msstorageazure[.]com 

msstorageboxes[.]com 

officeaddons[.]com 

officestoragebox[.]com 

pbxcloudeservices[.]com 

pbxphonenetwork[.]com 

pbxsources[.]com 

qwepoi123098[.]com 

sbmsa[.]wiki 

sourceslabs[.]com 

visualstudiofactory[.]com 

zacharryblogs[.]com 

Icon File Hashes 

a541e5fc421c358e0a2b07bf4771e897fb5a617998aa4876e0e1baa5fbb8e25c 

d459aa0a63140ccc647e9026bfd1fccd4c310c262a88896c57bbe3b6456bd090 

d51a790d187439ce030cf763237e992e9196e9aa41797a94956681b6279d1b9a 

4e08e4ffc699e0a1de4a5225a0b4920933fbb9cf123cde33e1674fde6d61444f 

8c0b7d90f14c55d4f1d0f17e0242efd78fd4ed0c344ac6469611ec72defa6b2d 

f47c883f59a4802514c57680de3f41f690871e26f250c6e890651ba71027e4d3 

2c9957ea04d033d68b769f333a48e228c32bcf26bd98e51310efd48e80c1789f 

268d4e399dbbb42ee1cd64d0da72c57214ac987efbb509c46cc57ea6b214beca 

c62dce8a77d777774e059cf1720d77c47b97d97c3b0cf43ade5d96bf724639bd 

c13d49ed325dec9551906bafb6de9ec947e5ff936e7e40877feb2ba4bb176396 

f1bf4078141d7ccb4f82e3f4f1c3571ee6dd79b5335eb0e0464f877e6e6e3182 

2487b4e3c950d56fb15316245b3c51fbd70717838f6f82f32db2efcc4d9da6de 

e059c8c8b01d6f3af32257fc2b6fe188d5f4359c308b3684b1e0db2071c3425c 

d0f1984b4fe896d0024533510ce22d71e05b20bad74d53fae158dc752a65782e 

Contributors

  • Travis Smith, Vice President, Threat Research Unit, Qualys
  • Irfan Asrar, Director, Malware and Threat Research, Qualys
  • Mayuresh Dani, Manager, Threat Research. Qualys
  • Sabri Naoufal, Senior Malware Analyst, Qualys
  • Mohammad Shabbir, Malware Analyst, Qualys
  • Akshat Pradhan, Senior Engineer, Threat Research, Qualys

文章来源: https://blog.qualys.com/vulnerabilities-threat-research/2023/04/03/3cxdesktopapp-backdoored-in-a-suspected-lazarus-campaign
如有侵权请联系:admin#unsafe.sh