Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 30 IOCs • Published within a week
3CX: Supply Chain Attack Affects Thousands of Users Worldwide
2023-03-30 • Symantec •
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack
Symantec reported that North Korea-linked actors compromised multiple Windows and macOS versions of 3CX DesktopApp in a supply-chain attack that trojanized legitimate installers to deploy information-stealing malware. The malicious installers sideloaded a modified `ffmpeg.dll`, which loaded payload material from `d3dcompiler_47.dll`; the encrypted blob began with `FEEDFACE`, decrypted into shellcode, and executed a third DLL that attempted to retrieve icon files from a GitHub repository. The campaign affected a widely used voice and video calling client and resembled a SolarWinds-style compromise, with the collected host information likely used to decide which victims should receive follow-on intrusion activity. Symantec listed affected installer/app hashes, attacker-controlled domains, and the GitHub path used by the malware, while 3CX advised users to uninstall the desktop app and temporarily use the PWA client until clean builds were available.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | e6bbc33815b9f20b0cf832d7401dd89… | 2023-03-29 | 2024-12-27 |
| DOMAIN | visualstudiofactory.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | akamaitechcloudservices.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msedgepackageinfo.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msstorageazure.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | azureonlinestorage.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | zacharryblogs.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | officestoragebox.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | pbxphonenetwork.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | sourceslabs.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | officeaddons.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | glcloudservice.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | pbxcloudeservices.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | azuredeploystore.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | pbxsources.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msstorageboxes.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | journalide.org | 2023-03-29 | 2023-05-09 |
| HASH | aa4e398b3bd8645016d8090ffc77d15… | 2023-03-30 | 2023-05-02 |
| HASH | 7986bbaee8940da11ce089383521ab4… | 2023-03-30 | 2023-04-28 |
| HASH | 11be1803e2e307b647a8a7e02d12833… | 2023-03-30 | 2023-04-28 |
| HASH | 5407cda7d3a75e7b1e030b1f33337a5… | 2023-03-29 | 2023-04-28 |
| HASH | dde03348075512796241389dfea5560… | 2023-03-29 | 2023-04-28 |
| HASH | fad482ded2e25ce9e1dd3d3ecc3227a… | 2023-03-29 | 2023-04-28 |
| HASH | 59e1edf4d82fae4978e97512b0331b7… | 2023-03-29 | 2023-04-28 |
| HASH | aa124a4b4df12b34e74ee7f6c683b2e… | 2023-03-29 | 2023-04-28 |
| DOMAIN | qwepoi123098.com | 2023-03-29 | 2023-04-28 |
| DOMAIN | akamaicontainer.com | 2023-03-29 | 2023-04-28 |
| DOMAIN | dunamistrd.com | 2023-03-29 | 2023-04-28 |
| DOMAIN | azureonlinecloud.com | 2023-03-29 | 2023-04-28 |
| HASH | 92005051ae314d61074ed94a52e76b1… | 2023-03-29 | 2023-03-31 |
| HASH | b86c695822013483fa4e2dfdf712c5e… | 2023-03-29 | 2023-03-31 |
Related Reports
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 30 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 29 IOCs • Published within a month
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 29 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 28 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 27 IOCs • Published within a week