36gate: supply chain attack

2023-03-31 • Group-IB •

https://www.group-ib.com/blog/3cx-supply-chain-attack/

#SupplyChain #3CXDesktopApp #SmoothOperator #36gate

Thumbnail for 36gate: supply chain attack

Group-IB analyzed the 3CXDesktopApp supply-chain compromise in which signed Windows and macOS builds were trojanized and distributed to customers of the VoIP software vendor. The Windows infection chain loads a modified ffmpeg.dll, reads encrypted shellcode from d3dcompiler_47.dll, and uses the RC4 key 3jB(2bsG#@c7 before launching a downloader. The downloader retrieves encoded C2 URLs hidden in GitHub-hosted .ico files, with representative infrastructure including msstorageazure[.]com/window, officestoragebox[.]com/api/session, visualstudiofactory[.]com/workload, and akamaitechcloudservices[.]com/v2/storage. Group-IB notes CrowdStrike reporting that matching beacon structure and encryption key material aligned with LABYRINTH CHOLLIMA/Lazarus activity, while the source’s practical emphasis is detection and incident response for organizations that installed affected 3CX versions.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	a64fa9f1c76457ecc58402142a8728c…	2023-03-30	2024-12-27
HASH	fee4f9dabc094df24d83ec1a8c4e4ff…	2023-03-30	2024-12-27
HASH	e6bbc33815b9f20b0cf832d7401dd89…	2023-03-29	2024-12-27
DOMAIN	visualstudiofactory.com	2023-03-29	2024-09-09
DOMAIN	akamaitechcloudservices.com	2023-03-29	2024-09-09
DOMAIN	msedgepackageinfo.com	2023-03-29	2024-09-09
DOMAIN	msstorageazure.com	2023-03-29	2024-09-09
DOMAIN	azureonlinestorage.com	2023-03-29	2024-09-09
DOMAIN	zacharryblogs.com	2023-03-29	2024-09-09
DOMAIN	officestoragebox.com	2023-03-29	2024-09-09
DOMAIN	pbxphonenetwork.com	2023-03-29	2024-09-09
DOMAIN	sourceslabs.com	2023-03-29	2024-09-09
DOMAIN	officeaddons.com	2023-03-29	2024-09-09
DOMAIN	glcloudservice.com	2023-03-29	2024-09-09
DOMAIN	pbxcloudeservices.com	2023-03-29	2024-09-09
DOMAIN	azuredeploystore.com	2023-03-29	2024-09-09
DOMAIN	pbxsources.com	2023-03-29	2024-09-09
DOMAIN	msstorageboxes.com	2023-03-29	2024-09-09
HASH	d5101c3b86d973a848ab7ed79cd11e5a	2023-03-30	2023-06-29
HASH	660ea9b8205fbd2da59fefd26ae5115c	2023-03-30	2023-06-29
HASH	769383fc65d1386dd141c960c997011…	2023-03-29	2023-06-29
HASH	3dc840d32ce86cebf657b17cef62814…	2023-03-29	2023-06-29
HASH	6426fe4dc604c7f1784ed1d48ab4ffc8	2023-03-31	2023-05-02
HASH	3b88cda62cdd918b62ef5aa8c5a73a4…	2023-03-30	2023-05-02
HASH	aa4e398b3bd8645016d8090ffc77d15…	2023-03-30	2023-05-02
HASH	cad1120d91b812acafef7175f949dd1…	2023-03-29	2023-05-02
HASH	c485674ee63ec8d4e8fde9800788175…	2023-03-30	2023-04-28
HASH	8ab3a5eaaf8c296080fadf56b265194…	2023-03-30	2023-04-28
HASH	7986bbaee8940da11ce089383521ab4…	2023-03-30	2023-04-28
HASH	11be1803e2e307b647a8a7e02d12833…	2023-03-30	2023-04-28
HASH	5407cda7d3a75e7b1e030b1f33337a5…	2023-03-29	2023-04-28
HASH	dde03348075512796241389dfea5560…	2023-03-29	2023-04-28
HASH	fad482ded2e25ce9e1dd3d3ecc3227a…	2023-03-29	2023-04-28
HASH	59e1edf4d82fae4978e97512b0331b7…	2023-03-29	2023-04-28
HASH	aa124a4b4df12b34e74ee7f6c683b2e…	2023-03-29	2023-04-28
DOMAIN	qwepoi123098.com	2023-03-29	2023-04-28
DOMAIN	akamaicontainer.com	2023-03-29	2023-04-28
DOMAIN	dunamistrd.com	2023-03-29	2023-04-28
DOMAIN	azureonlinecloud.com	2023-03-29	2023-04-28
URL	https://azureonlinestorage.com/…	2023-03-30	2023-04-05
URL	https://akamaitechcloudservices…	2023-03-30	2023-04-05
URL	https://pbxsources.com/exchange	2023-03-30	2023-04-05
URL	https://zacharryblogs.com/feed	2023-03-30	2023-04-05
URL	https://msstorageboxes.com/offi…	2023-03-30	2023-04-05
URL	https://msedgepackageinfo.com/m…	2023-03-30	2023-04-05
URL	https://azuredeploystore.com/cl…	2023-03-30	2023-04-05
URL	https://glcloudservice.com/v1/c…	2023-03-30	2023-04-05
URL	https://visualstudiofactory.com…	2023-03-30	2023-04-05
URL	https://officeaddons.com/techno…	2023-03-30	2023-04-05
URL	https://pbxcloudeservices.com/p…	2023-03-30	2023-04-05
URL	https://sourceslabs.com/downloa…	2023-03-30	2023-04-05
URL	https://msstorageazure.com/wind…	2023-03-30	2023-04-05
URL	https://officestoragebox.com/ap…	2023-03-30	2023-04-05
HASH	cb01ff4809638410a531400a66376fa3	2023-03-31	2023-04-03
HASH	0eeb1c0133eb4d571178b2d9d14ce3e9	2023-03-30	2023-04-03
HASH	bf939c9c261d27ee7bb92325cc58862…	2023-03-29	2023-04-03
HASH	20d554a80d759c50d6537dd7097fed8…	2023-03-29	2023-04-03
HASH	82187ad3f0c6c225e2fba0c867280cc9	2023-03-29	2023-04-03
HASH	5729fb29e3a7a90d2528e3357bd15a4b	2023-03-31	2023-03-31
HASH	11bd685041d98d392df3d95f96d96dc1	2023-03-31	2023-03-31
HASH	2fdf61fdfd649f8bbf5730307a0ab5d1	2023-03-31	2023-03-31
HASH	f3d4144860ca10ba60f7ef4d176cc736	2023-03-31	2023-03-31
HASH	82a2dafd6ce594f2cf8588f32585c71…	2023-03-31	2023-03-31
HASH	7a1d41c8e9e4bd19e0e360ec17e30c3…	2023-03-31	2023-03-31
HASH	f3487a1324f4c11b35504751a5527bc…	2023-03-31	2023-03-31
HASH	83cba55f180b0c100935137615e8d296	2023-03-31	2023-03-31
HASH	5d833bcc679db38a45111269e727ec5…	2023-03-31	2023-03-31
HASH	253f3a53796f1b0fbe64f7b05ae1d66…	2023-03-31	2023-03-31
HASH	27b134af30f4a86f177db2f2555fe01d	2023-03-31	2023-03-31
HASH	bea77d1e59cf18dce22ad9a2fad5294…	2023-03-30	2023-03-31
HASH	8377fb40c76aa3ba3efae3d284fa51a…	2023-03-30	2023-03-31
HASH	11ae67704ea0b930b2cc966e6d07f8b…	2023-03-30	2023-03-31
HASH	f7f1b34c2770d83e2250e19c8425a4b…	2023-03-30	2023-03-31
HASH	caa77bcd0a1a6629ba1f3ce8d1fc545…	2023-03-30	2023-03-31
HASH	11bc82a9bd8297bd0823bce5d6202082	2023-03-30	2023-03-31
HASH	7faea2b01796b80d180399040bb69835	2023-03-30	2023-03-31
HASH	8433a94aedb6380ac8d4610af643fb0…	2023-03-30	2023-03-31
HASH	188754814b37927badc988b45b7c7f7…	2023-03-30	2023-03-31
HASH	b5de30a83084d6f27d902b96dd12e15…	2023-03-30	2023-03-31
HASH	0d890267ec8d6d2aaf43eaca727c1fb…	2023-03-30	2023-03-31
HASH	3b3e778b647371262120a523eb873c2…	2023-03-30	2023-03-31
HASH	ff3dd457c0d00d00d396fdf6ebe7c25…	2023-03-30	2023-03-31
HASH	31d775ab577f3cc88991d90e9ae5850…	2023-03-30	2023-03-31
HASH	64ab912d0af35c01355430d85dd4181…	2023-03-30	2023-03-31
HASH	f79c3b0adb6ec7bcc8bc9ae955a1571…	2023-03-30	2023-03-31
HASH	bfecb8ce89a312d2ef4afc64a63847a…	2023-03-30	2023-03-31
HASH	894e7d4ffd764bb458809c7f0643694…	2023-03-30	2023-03-31
HASH	b1dee3ebcffad01a51ff31ff495fef1…	2023-03-30	2023-03-31
HASH	19f4036f5cd91c5fc411afc4359e32f…	2023-03-30	2023-03-31
HASH	6285ffb5f98d35cd98e78d48b63a05a…	2023-03-30	2023-03-31
HASH	7c55c3dfa373b6b342390938029cb76…	2023-03-30	2023-03-31
HASH	b2a89eebb5be61939f5458a024c929b…	2023-03-30	2023-03-31
HASH	ffccc3a29d1582989430e9b6c6d2bff…	2023-03-30	2023-03-31
HASH	3992dbe9e0b23e0d4ca487faffeb004…	2023-03-30	2023-03-31
HASH	f533bea1c0558f73f6a3930343c1694…	2023-03-30	2023-03-31
HASH	96910a3dbc194a7bf9a452afe8a35ec…	2023-03-30	2023-03-31
HASH	89827af650640c7042077be64dc6432…	2023-03-30	2023-03-31
HASH	57a9f3d5d1592a0769886493f566930…	2023-03-30	2023-03-31
HASH	92005051ae314d61074ed94a52e76b1…	2023-03-29	2023-03-31
HASH	ca8c0385ce2b8bdd19423c8b98a5924b	2023-03-29	2023-03-31
HASH	3703770e32820397c6e7e1e1221e6d0d	2023-03-29	2023-03-31
HASH	b86c695822013483fa4e2dfdf712c5e…	2023-03-29	2023-03-31
HASH	9833a4779b69b38e3e51f04e395674c6	2023-03-29	2023-03-31
HASH	bb915073385dd16a846dfa318afa3c19	2023-03-29	2023-03-31
HASH	74bc2d0b6680faa1a5a76b27e5479cbc	2023-03-29	2023-03-31

Related Reports

2023-03-30 • 73% Match

3CX Supply Chain Compromise Leads to ICONIC Incident

Volexity

#SupplyChain #3CXDesktopApp #SmoothOperator #ICONIC #UTA0040

Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 61 IOCs • Published within a week

2023-03-30 • 66% Match

Threat Brief: 3CXDesktopApp Supply Chain Attack

Paloalto Networks

#SupplyChain #3CXDesktopApp #SmoothOperator

Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 44 IOCs • Published within a week

2023-04-05 • 65% Match

3CX DesktopApp 공급망 공격, 국내에서도 확인

Ahnlab

#SupplyChain #3CXDesktopApp #SmoothOperator

Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 40 IOCs • Published within a week

2023-04-03 • 64% Match

3CX In The Wild

Threat Radar

#SupplyChain #3CXDesktopApp #SmoothOperator

Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 39 IOCs • Published within a week

2023-03-30 • 64% Match

3CX VoIP Software Compromise & Supply Chain Threats

Huntress

#YARA #SupplyChain #3CXDesktopApp #SmoothOperator

Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 39 IOCs • Published within a week

2023-04-28 • 62% Match

EDR을 활용한 3CX 공급망 침해 사고 추적

Ahnlab

#SupplyChain #3CXDesktopApp #SmoothOperator #T1071.001 #T1574.002 #T1012

Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 32 IOCs • Published within a month

« Back