Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 25 IOCs • Published within a week
3CXDesktop App Supply Chain Attack - Check Point Software
2023-03-29 • Checkpoint •
Check Point described the 3CXDesktopApp incident as a supply-chain attack in which a trojanized version of the VoIP desktop client was downloaded by victims and executed a malicious DLL through normal application loading. The infection chain uses DLL side-loading: the signed MSI loads modified ffmpeg.dll, which reads encrypted data from d3dcompiler_47.dll, decrypts it with an embedded RC4 key, and executes code that contacts the IconStorages GitHub archive. The GitHub-hosted icon files contain Base64 data that decrypts into URLs used to download and execute a final payload after a one-week delay. The source lists representative C2 and protection indicators such as msstorageboxes[.]com, azureonlinestorage[.]com, pbxcloudeservices[.]com, and github.com/IconStorages/images.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | visualstudiofactory.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | akamaitechcloudservices.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msedgepackageinfo.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msstorageazure.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | azureonlinestorage.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | zacharryblogs.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | officestoragebox.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | pbxphonenetwork.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | sourceslabs.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | officeaddons.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | glcloudservice.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | pbxcloudeservices.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | azuredeploystore.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | pbxsources.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msstorageboxes.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | journalide.org | 2023-03-29 | 2023-05-09 |
| DOMAIN | qwepoi123098.com | 2023-03-29 | 2023-04-28 |
| DOMAIN | akamaicontainer.com | 2023-03-29 | 2023-04-28 |
| DOMAIN | dunamistrd.com | 2023-03-29 | 2023-04-28 |
| DOMAIN | azureonlinecloud.com | 2023-03-29 | 2023-04-28 |
| HASH | 82187ad3f0c6c225e2fba0c867280cc9 | 2023-03-29 | 2023-04-03 |
| HASH | ca8c0385ce2b8bdd19423c8b98a5924b | 2023-03-29 | 2023-03-31 |
| HASH | 3703770e32820397c6e7e1e1221e6d0d | 2023-03-29 | 2023-03-31 |
| HASH | 9833a4779b69b38e3e51f04e395674c6 | 2023-03-29 | 2023-03-31 |
| HASH | bb915073385dd16a846dfa318afa3c19 | 2023-03-29 | 2023-03-31 |
| HASH | 74bc2d0b6680faa1a5a76b27e5479cbc | 2023-03-29 | 2023-03-31 |
| DOMAIN | soyoungjun.com | 2023-03-29 | 2023-03-30 |
Related Reports
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 22 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 21 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 20 IOCs • Published within a month
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 20 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 20 IOCs • Published within a week