Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 29 IOCs • Published within a week
Elastic users protected from SUDDENICON’s supply chain attack
2023-03-30 • Elastic •
https://www.elastic.co/kr/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack
Upon successfully executing, this shellcode stub writes a new file (manifest) to disk with a timestamp 7 days in the future, used to implement a timer after which the malware connects to the C2 infrastructure. After initially connecting to an active C2 server, the malware performs a POST containing a machine identifier. A shellcode stub prepended to the payload used to map it into memory shares similarities with APPLEJEUS loader stubs, which have been associated with DPRK. The CEO of 3CX has recommended uninstalling the software; a small number of community forum posts outline how security tooling is reacting to potential malware behaviors, and CrowdStrike and SentinelOne have published initial information.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | e6bbc33815b9f20b0cf832d7401dd89… | 2023-03-29 | 2024-12-27 |
| DOMAIN | visualstudiofactory.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | akamaitechcloudservices.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msedgepackageinfo.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msstorageazure.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | azureonlinestorage.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | zacharryblogs.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | officestoragebox.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | pbxphonenetwork.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | sourceslabs.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | officeaddons.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | glcloudservice.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | pbxcloudeservices.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | azuredeploystore.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | pbxsources.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msstorageboxes.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | journalide.org | 2023-03-29 | 2023-05-09 |
| HASH | c485674ee63ec8d4e8fde9800788175… | 2023-03-30 | 2023-04-28 |
| HASH | 7986bbaee8940da11ce089383521ab4… | 2023-03-30 | 2023-04-28 |
| HASH | 5407cda7d3a75e7b1e030b1f33337a5… | 2023-03-29 | 2023-04-28 |
| HASH | dde03348075512796241389dfea5560… | 2023-03-29 | 2023-04-28 |
| HASH | fad482ded2e25ce9e1dd3d3ecc3227a… | 2023-03-29 | 2023-04-28 |
| HASH | 59e1edf4d82fae4978e97512b0331b7… | 2023-03-29 | 2023-04-28 |
| HASH | aa124a4b4df12b34e74ee7f6c683b2e… | 2023-03-29 | 2023-04-28 |
| DOMAIN | qwepoi123098.com | 2023-03-29 | 2023-04-28 |
| DOMAIN | akamaicontainer.com | 2023-03-29 | 2023-04-28 |
| DOMAIN | dunamistrd.com | 2023-03-29 | 2023-04-28 |
| DOMAIN | azureonlinecloud.com | 2023-03-29 | 2023-04-28 |
| HASH | 92005051ae314d61074ed94a52e76b1… | 2023-03-29 | 2023-03-31 |
| HASH | b86c695822013483fa4e2dfdf712c5e… | 2023-03-29 | 2023-03-31 |
Related Reports
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 29 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 29 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 28 IOCs • Published within a month
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 28 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 27 IOCs • Published within a week