Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 34 IOCs • Published within a month
Information on Attacks Involving 3CX Desktop App
2023-03-30 • Trend Micro •
https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html
Trend Micro summarized the 3CX Desktop App compromise as a multi-stage attack against the Electron Windows and macOS clients used by 3CX customers worldwide. The compromised MSI starts with benign 3CXDesktopApp.exe loading trojanized ffmpeg.dll, which reads encrypted shellcode from d3dcompiler_47.dll after FE ED FA CE markers and decrypts it with the RC4 key 3jB(2bsG#@c7. The shellcode reaches the removed IconStorages GitHub repository, retrieves ICO files containing Base64/AES-GCM encrypted C2 strings, and then contacts listed command-and-control domains to fetch possible final payloads. The source notes a seven-day-plus sleep timestamp mechanism, affected versions from 3CX’s advisory, and risk from the software’s large enterprise deployment base.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | a64fa9f1c76457ecc58402142a8728c… | 2023-03-30 | 2024-12-27 |
| HASH | 5009c7d1590c1f8c05827122172583d… | 2023-03-30 | 2024-12-27 |
| HASH | fee4f9dabc094df24d83ec1a8c4e4ff… | 2023-03-30 | 2024-12-27 |
| HASH | 87c5d0c93b80acf61d24e7aaf0faae2… | 2023-03-30 | 2024-12-27 |
| DOMAIN | visualstudiofactory.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | akamaitechcloudservices.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msedgepackageinfo.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msstorageazure.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | azureonlinestorage.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | zacharryblogs.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | officestoragebox.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | pbxphonenetwork.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | sourceslabs.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | officeaddons.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | glcloudservice.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | pbxcloudeservices.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | azuredeploystore.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | pbxsources.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msstorageboxes.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | journalide.org | 2023-03-29 | 2023-05-09 |
| HASH | c485674ee63ec8d4e8fde9800788175… | 2023-03-30 | 2023-04-28 |
| HASH | 5a017652531eebfcef7011c37a04f11… | 2023-03-30 | 2023-04-28 |
| HASH | 7986bbaee8940da11ce089383521ab4… | 2023-03-30 | 2023-04-28 |
| HASH | 4e08e4ffc699e0a1de4a5225a0b4920… | 2023-03-30 | 2023-04-28 |
| HASH | 11be1803e2e307b647a8a7e02d12833… | 2023-03-30 | 2023-04-28 |
| HASH | 5407cda7d3a75e7b1e030b1f33337a5… | 2023-03-29 | 2023-04-28 |
| HASH | dde03348075512796241389dfea5560… | 2023-03-29 | 2023-04-28 |
| HASH | fad482ded2e25ce9e1dd3d3ecc3227a… | 2023-03-29 | 2023-04-28 |
| HASH | 59e1edf4d82fae4978e97512b0331b7… | 2023-03-29 | 2023-04-28 |
| HASH | aa124a4b4df12b34e74ee7f6c683b2e… | 2023-03-29 | 2023-04-28 |
| DOMAIN | qwepoi123098.com | 2023-03-29 | 2023-04-28 |
| DOMAIN | akamaicontainer.com | 2023-03-29 | 2023-04-28 |
| DOMAIN | dunamistrd.com | 2023-03-29 | 2023-04-28 |
| DOMAIN | azureonlinecloud.com | 2023-03-29 | 2023-04-28 |
Related Reports
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 29 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 29 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 27 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 27 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 27 IOCs • Published within a week