EDR을 활용한 3CX 공급망 침해 사고 추적

2023-04-28 Ahnlab 3CX Supply Chain Breach Incident Tracking Using EDR

https://asec.ahnlab.com/ko/51915/

Thumbnail for EDR을 활용한 3CX 공급망 침해 사고 추적

AhnLab analyzed the 3CX supply-chain compromise from endpoint telemetry and observed related malware installs in South Korea on March 9 and March 15. The source describes malicious DLLs, ffmpeg.dll and d3dcompiler_47.dll, being loaded by the legitimate 3CXDesktopApp.exe process, with ffmpeg.dll reading and RC4-decrypting shellcode from d3dcompiler_47.dll before running downloader shellcode in memory. Although no additional downloaded payload was confirmed during AhnLab’s analysis, the campaign was known to lead to information-stealing malware and GitHub-hosted payload retrieval. AhnLab mapped detections to DLL side-loading, registry queries, and web protocol use, and listed numerous SHA-256 hashes and domains such as akamaicontainer[.]com and pbxcloudeservices[.]com as indicators for tracking the 3CX incident.

Indicators of Compromise

Type Value First Seen Last Seen
HASH a64fa9f1c76457ecc58402142a8728c… 2023-03-30 2024-12-27
HASH 5009c7d1590c1f8c05827122172583d… 2023-03-30 2024-12-27
HASH fee4f9dabc094df24d83ec1a8c4e4ff… 2023-03-30 2024-12-27
HASH 87c5d0c93b80acf61d24e7aaf0faae2… 2023-03-30 2024-12-27
HASH e6bbc33815b9f20b0cf832d7401dd89… 2023-03-29 2024-12-27
DOMAIN visualstudiofactory.com 2023-03-29 2024-09-09
DOMAIN akamaitechcloudservices.com 2023-03-29 2024-09-09
DOMAIN msedgepackageinfo.com 2023-03-29 2024-09-09
DOMAIN msstorageazure.com 2023-03-29 2024-09-09
DOMAIN azureonlinestorage.com 2023-03-29 2024-09-09
DOMAIN zacharryblogs.com 2023-03-29 2024-09-09
DOMAIN officestoragebox.com 2023-03-29 2024-09-09
DOMAIN pbxphonenetwork.com 2023-03-29 2024-09-09
DOMAIN sourceslabs.com 2023-03-29 2024-09-09
DOMAIN officeaddons.com 2023-03-29 2024-09-09
DOMAIN glcloudservice.com 2023-03-29 2024-09-09
DOMAIN pbxcloudeservices.com 2023-03-29 2024-09-09
DOMAIN azuredeploystore.com 2023-03-29 2024-09-09
DOMAIN pbxsources.com 2023-03-29 2024-09-09
DOMAIN msstorageboxes.com 2023-03-29 2024-09-09
DOMAIN journalide.org 2023-03-29 2023-05-09
HASH aa4e398b3bd8645016d8090ffc77d15… 2023-03-30 2023-05-02
HASH 210c9882eba94198274ebc787fe8c88… 2023-04-28 2023-04-28
HASH c485674ee63ec8d4e8fde9800788175… 2023-03-30 2023-04-28
HASH 5a017652531eebfcef7011c37a04f11… 2023-03-30 2023-04-28
HASH 8ab3a5eaaf8c296080fadf56b265194… 2023-03-30 2023-04-28
HASH d51a790d187439ce030cf763237e992… 2023-03-30 2023-04-28
HASH e059c8c8b01d6f3af32257fc2b6fe18… 2023-03-30 2023-04-28
HASH d0f1984b4fe896d0024533510ce22d7… 2023-03-30 2023-04-28
HASH 7986bbaee8940da11ce089383521ab4… 2023-03-30 2023-04-28
HASH 8c0b7d90f14c55d4f1d0f17e0242efd… 2023-03-30 2023-04-28
HASH 4e08e4ffc699e0a1de4a5225a0b4920… 2023-03-30 2023-04-28
HASH f1bf4078141d7ccb4f82e3f4f1c3571… 2023-03-30 2023-04-28
HASH d459aa0a63140ccc647e9026bfd1fcc… 2023-03-30 2023-04-28
HASH 268d4e399dbbb42ee1cd64d0da72c57… 2023-03-30 2023-04-28
HASH c13d49ed325dec9551906bafb6de9ec… 2023-03-30 2023-04-28
HASH f47c883f59a4802514c57680de3f41f… 2023-03-30 2023-04-28
HASH 2487b4e3c950d56fb15316245b3c51f… 2023-03-30 2023-04-28
HASH 11be1803e2e307b647a8a7e02d12833… 2023-03-30 2023-04-28
HASH c62dce8a77d777774e059cf1720d77c… 2023-03-30 2023-04-28
HASH 2c9957ea04d033d68b769f333a48e22… 2023-03-30 2023-04-28
HASH a541e5fc421c358e0a2b07bf4771e89… 2023-03-30 2023-04-28
HASH 5407cda7d3a75e7b1e030b1f33337a5… 2023-03-29 2023-04-28
HASH dde03348075512796241389dfea5560… 2023-03-29 2023-04-28
HASH fad482ded2e25ce9e1dd3d3ecc3227a… 2023-03-29 2023-04-28
HASH 59e1edf4d82fae4978e97512b0331b7… 2023-03-29 2023-04-28
HASH aa124a4b4df12b34e74ee7f6c683b2e… 2023-03-29 2023-04-28
DOMAIN qwepoi123098.com 2023-03-29 2023-04-28
DOMAIN akamaicontainer.com 2023-03-29 2023-04-28
DOMAIN dunamistrd.com 2023-03-29 2023-04-28
DOMAIN azureonlinecloud.com 2023-03-29 2023-04-28

Related Reports

« Back