Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 28 IOCs • Published within a week
Backdoored 3CXDesktopApp Installer Used in Active Threat Campaign
2023-03-30 • Rapid7 •
Rapid7 analyzed the 3CXDesktopApp Windows supply-chain compromise after multiple vendors observed malicious activity from a legitimate signed communications application on Windows and macOS. The MSI drops benign 3CXDesktopApp.exe, which loads backdoored ffmpeg.dll; that DLL reads an RC4-encrypted blob from d3dcompiler.dll and reflectively loads code that retrieves .ico files with appended Base64 command-and-control data from GitHub. Rapid7 MDR observed the backdoored installer in several customer environments and identified affected Electron Windows versions 18.12.407 and 18.12.416 and macOS versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416. The source recommends uninstalling 3CXDesktopApp, using the PWA client temporarily, and hunting known malicious domains and hashes associated with the campaign.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | visualstudiofactory.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | akamaitechcloudservices.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msedgepackageinfo.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msstorageazure.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | azureonlinestorage.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | zacharryblogs.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | officestoragebox.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | pbxphonenetwork.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | sourceslabs.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | officeaddons.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | glcloudservice.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | pbxcloudeservices.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | azuredeploystore.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | pbxsources.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msstorageboxes.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | journalide.org | 2023-03-29 | 2023-05-09 |
| HASH | 7986bbaee8940da11ce089383521ab4… | 2023-03-30 | 2023-04-28 |
| HASH | 11be1803e2e307b647a8a7e02d12833… | 2023-03-30 | 2023-04-28 |
| HASH | dde03348075512796241389dfea5560… | 2023-03-29 | 2023-04-28 |
| HASH | fad482ded2e25ce9e1dd3d3ecc3227a… | 2023-03-29 | 2023-04-28 |
| HASH | aa124a4b4df12b34e74ee7f6c683b2e… | 2023-03-29 | 2023-04-28 |
| DOMAIN | qwepoi123098.com | 2023-03-29 | 2023-04-28 |
| DOMAIN | akamaicontainer.com | 2023-03-29 | 2023-04-28 |
| DOMAIN | dunamistrd.com | 2023-03-29 | 2023-04-28 |
| DOMAIN | azureonlinecloud.com | 2023-03-29 | 2023-04-28 |
| DOMAIN | msedgeupdate.net | 2023-03-30 | 2023-04-03 |
| HASH | 92005051ae314d61074ed94a52e76b1… | 2023-03-29 | 2023-03-31 |
| HASH | b86c695822013483fa4e2dfdf712c5e… | 2023-03-29 | 2023-03-31 |
| DOMAIN | convieneonline.com | 2023-03-29 | 2023-03-30 |
| DOMAIN | soyoungjun.com | 2023-03-29 | 2023-03-30 |
Related Reports
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 27 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 26 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 26 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 25 IOCs • Published within a month
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 25 IOCs • Published within a week