3CX Supply Chain Compromise Leads to ICONIC Incident

2023-03-30 Volexity

https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/

Thumbnail for 3CX Supply Chain Compromise Leads to ICONIC Incident

Volexity attributed the 3CX supply-chain compromise to a suspected North Korean threat actor tracked as UTA0040 and reported that malicious, 3CX-signed updates installed information-stealing malware on affected endpoints. The analysis found both Windows and macOS installers were impacted, with Windows infrastructure active by December 7, 2022 and related domains registered as early as November 2022. Volexity named the first-stage Windows malware ICONIC, which downloaded GitHub-hosted icon files, parsed appended Base64 data, decrypted it with AES-GCM, and used the decoded URLs to request a second-stage payload. The source advises isolating impacted endpoints, investigating for follow-on compromise, and rotating secrets because the reconnaissance payload could have enabled additional victim selection.

Indicators of Compromise

Type Value First Seen Last Seen
HASH a64fa9f1c76457ecc58402142a8728c… 2023-03-30 2024-12-27
HASH e6bbc33815b9f20b0cf832d7401dd89… 2023-03-29 2024-12-27
DOMAIN visualstudiofactory.com 2023-03-29 2024-09-09
DOMAIN akamaitechcloudservices.com 2023-03-29 2024-09-09
DOMAIN msedgepackageinfo.com 2023-03-29 2024-09-09
DOMAIN msstorageazure.com 2023-03-29 2024-09-09
DOMAIN azureonlinestorage.com 2023-03-29 2024-09-09
DOMAIN zacharryblogs.com 2023-03-29 2024-09-09
DOMAIN officestoragebox.com 2023-03-29 2024-09-09
DOMAIN pbxphonenetwork.com 2023-03-29 2024-09-09
DOMAIN sourceslabs.com 2023-03-29 2024-09-09
DOMAIN officeaddons.com 2023-03-29 2024-09-09
DOMAIN glcloudservice.com 2023-03-29 2024-09-09
DOMAIN pbxcloudeservices.com 2023-03-29 2024-09-09
DOMAIN azuredeploystore.com 2023-03-29 2024-09-09
DOMAIN pbxsources.com 2023-03-29 2024-09-09
DOMAIN msstorageboxes.com 2023-03-29 2024-09-09
HASH d5101c3b86d973a848ab7ed79cd11e5a 2023-03-30 2023-06-29
HASH 660ea9b8205fbd2da59fefd26ae5115c 2023-03-30 2023-06-29
HASH 769383fc65d1386dd141c960c997011… 2023-03-29 2023-06-29
HASH 3dc840d32ce86cebf657b17cef62814… 2023-03-29 2023-06-29
HASH 8ab3a5eaaf8c296080fadf56b265194… 2023-03-30 2023-04-28
HASH 7986bbaee8940da11ce089383521ab4… 2023-03-30 2023-04-28
HASH 59e1edf4d82fae4978e97512b0331b7… 2023-03-29 2023-04-28
URL https://azureonlinestorage.com/… 2023-03-30 2023-04-05
URL https://akamaitechcloudservices… 2023-03-30 2023-04-05
URL https://pbxsources.com/exchange 2023-03-30 2023-04-05
URL https://zacharryblogs.com/feed 2023-03-30 2023-04-05
URL https://msstorageboxes.com/offi… 2023-03-30 2023-04-05
URL https://msedgepackageinfo.com/m… 2023-03-30 2023-04-05
URL https://azuredeploystore.com/cl… 2023-03-30 2023-04-05
URL https://glcloudservice.com/v1/c… 2023-03-30 2023-04-05
URL https://visualstudiofactory.com… 2023-03-30 2023-04-05
URL https://officeaddons.com/techno… 2023-03-30 2023-04-05
URL https://pbxcloudeservices.com/p… 2023-03-30 2023-04-05
URL https://sourceslabs.com/downloa… 2023-03-30 2023-04-05
URL https://msstorageazure.com/wind… 2023-03-30 2023-04-05
URL https://officestoragebox.com/ap… 2023-03-30 2023-04-05
HASH 0eeb1c0133eb4d571178b2d9d14ce3e9 2023-03-30 2023-04-03
URL https://msedgeupdate.net/Windows 2023-03-30 2023-04-03
URL https://pbxphonenetwork.com/voip 2023-03-30 2023-04-03
DOMAIN msedgeupdate.net 2023-03-30 2023-04-03
HASH bf939c9c261d27ee7bb92325cc58862… 2023-03-29 2023-04-03
HASH 8377fb40c76aa3ba3efae3d284fa51a… 2023-03-30 2023-03-31
HASH 11ae67704ea0b930b2cc966e6d07f8b… 2023-03-30 2023-03-31
HASH caa77bcd0a1a6629ba1f3ce8d1fc545… 2023-03-30 2023-03-31
HASH 11bc82a9bd8297bd0823bce5d6202082 2023-03-30 2023-03-31
HASH 7faea2b01796b80d180399040bb69835 2023-03-30 2023-03-31
HASH b5de30a83084d6f27d902b96dd12e15… 2023-03-30 2023-03-31
HASH 0d890267ec8d6d2aaf43eaca727c1fb… 2023-03-30 2023-03-31
HASH 3b3e778b647371262120a523eb873c2… 2023-03-30 2023-03-31
HASH 31d775ab577f3cc88991d90e9ae5850… 2023-03-30 2023-03-31
HASH 64ab912d0af35c01355430d85dd4181… 2023-03-30 2023-03-31
HASH f79c3b0adb6ec7bcc8bc9ae955a1571… 2023-03-30 2023-03-31
HASH bfecb8ce89a312d2ef4afc64a63847a… 2023-03-30 2023-03-31
HASH 894e7d4ffd764bb458809c7f0643694… 2023-03-30 2023-03-31
HASH b1dee3ebcffad01a51ff31ff495fef1… 2023-03-30 2023-03-31
HASH ffccc3a29d1582989430e9b6c6d2bff… 2023-03-30 2023-03-31
HASH 3992dbe9e0b23e0d4ca487faffeb004… 2023-03-30 2023-03-31
HASH f533bea1c0558f73f6a3930343c1694… 2023-03-30 2023-03-31
HASH 96910a3dbc194a7bf9a452afe8a35ec… 2023-03-30 2023-03-31
HASH 89827af650640c7042077be64dc6432… 2023-03-30 2023-03-31
HASH 57a9f3d5d1592a0769886493f566930… 2023-03-30 2023-03-31
HASH 74bc2d0b6680faa1a5a76b27e5479cbc 2023-03-29 2023-03-31
HASH 3df119f322c5182bdbea4ab364eec8a… 2023-03-30 2023-03-30
HASH ad37112b302c5193e60f6f6f49f4df6… 2023-03-30 2023-03-30
HASH 9c943baad621654cc0a0495262b6175… 2023-03-30 2023-03-30
HASH 3a2138cd38ff2cef246f122a97d3c8f… 2023-03-30 2023-03-30
EMAIL [email protected] 2023-03-30 2023-03-30
EMAIL [email protected] 2023-03-30 2023-03-30

Related Actors

Related Reports

« Back