3CX VoIP Software Compromise & Supply Chain Threats

2023-03-30 Huntress

https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats

Thumbnail for 3CX VoIP Software Compromise & Supply Chain Threats

Huntress investigated the 3CX DesktopApp compromise as a large supply-chain incident affecting legitimate 3CX updates, with affected Windows versions 18.12.407 and 18.12.416 observed across customer environments. The attack chain used a backdoored ffmpeg.dll loader to load d3dcompiler_47.dll, which contained an encrypted FE ED FA CE-marked payload decrypted with an RC4 key that other reporting associated with DPRK threat activity. The decrypted shellcode embedded another PE loader that slept for seven days before retrieving GitHub-hosted icon files from IconStorages/images, where appended encoded data decrypted to multiple command-and-control URLs. Huntress highlighted process lineage, malicious 3CXDesktopApp.exe hashes, the GitHub icon repository, and domains including akamaitechcloudservices.com, pbxsources.com, msedgeupdate.net, and visualstudiofactory.com as detection and hunting leads.

Indicators of Compromise

Type Value First Seen Last Seen
HASH e6bbc33815b9f20b0cf832d7401dd89… 2023-03-29 2024-12-27
DOMAIN visualstudiofactory.com 2023-03-29 2024-09-09
DOMAIN akamaitechcloudservices.com 2023-03-29 2024-09-09
DOMAIN msedgepackageinfo.com 2023-03-29 2024-09-09
DOMAIN msstorageazure.com 2023-03-29 2024-09-09
DOMAIN azureonlinestorage.com 2023-03-29 2024-09-09
DOMAIN zacharryblogs.com 2023-03-29 2024-09-09
DOMAIN officestoragebox.com 2023-03-29 2024-09-09
DOMAIN pbxphonenetwork.com 2023-03-29 2024-09-09
DOMAIN sourceslabs.com 2023-03-29 2024-09-09
DOMAIN officeaddons.com 2023-03-29 2024-09-09
DOMAIN glcloudservice.com 2023-03-29 2024-09-09
DOMAIN pbxcloudeservices.com 2023-03-29 2024-09-09
DOMAIN azuredeploystore.com 2023-03-29 2024-09-09
DOMAIN pbxsources.com 2023-03-29 2024-09-09
DOMAIN msstorageboxes.com 2023-03-29 2024-09-09
DOMAIN journalide.org 2023-03-29 2023-05-09
HASH 5407cda7d3a75e7b1e030b1f33337a5… 2023-03-29 2023-04-28
HASH 59e1edf4d82fae4978e97512b0331b7… 2023-03-29 2023-04-28
HASH aa124a4b4df12b34e74ee7f6c683b2e… 2023-03-29 2023-04-28
DOMAIN qwepoi123098.com 2023-03-29 2023-04-28
DOMAIN akamaicontainer.com 2023-03-29 2023-04-28
DOMAIN dunamistrd.com 2023-03-29 2023-04-28
DOMAIN azureonlinecloud.com 2023-03-29 2023-04-28
URL https://azureonlinestorage.com/… 2023-03-30 2023-04-05
URL https://akamaitechcloudservices… 2023-03-30 2023-04-05
URL https://pbxsources.com/exchange 2023-03-30 2023-04-05
URL https://zacharryblogs.com/feed 2023-03-30 2023-04-05
URL https://msstorageboxes.com/offi… 2023-03-30 2023-04-05
URL https://msedgepackageinfo.com/m… 2023-03-30 2023-04-05
URL https://azuredeploystore.com/cl… 2023-03-30 2023-04-05
URL https://glcloudservice.com/v1/c… 2023-03-30 2023-04-05
URL https://visualstudiofactory.com… 2023-03-30 2023-04-05
URL https://officeaddons.com/techno… 2023-03-30 2023-04-05
URL https://pbxcloudeservices.com/p… 2023-03-30 2023-04-05
URL https://sourceslabs.com/downloa… 2023-03-30 2023-04-05
URL https://msstorageazure.com/wind… 2023-03-30 2023-04-05
URL https://officestoragebox.com/ap… 2023-03-30 2023-04-05
URL https://msedgeupdate.net/Windows 2023-03-30 2023-04-03
URL https://pbxphonenetwork.com/voip 2023-03-30 2023-04-03
DOMAIN msedgeupdate.net 2023-03-30 2023-04-03
HASH 92005051ae314d61074ed94a52e76b1… 2023-03-29 2023-03-31
HASH b86c695822013483fa4e2dfdf712c5e… 2023-03-29 2023-03-31
HASH a60a61bf844bc181d4540c9fac53203… 2023-03-30 2023-03-30
HASH d45674f941be3cca2fbc1af42778043… 2023-03-30 2023-03-30
URL https://s1.ai/smoothoperator 2023-03-30 2023-03-30
DOMAIN s1.ai 2023-03-30 2023-03-30
HASH 5d99efa36f34aa6b43cd81e77544961… 2023-03-30 2023-03-30
HASH 54004dfaa48ca5fa91e3304fb99559a… 2023-03-30 2023-03-30

Related Reports

« Back