2023-08-10 • Objective-see •
Patrick Wardle’s slide deck analyzes the macOS side of the 3CX supply-chain compromise, a nation-state operation in which 3CX’s build environments were compromised after an earlier supply-chain intrusion. The deck focuses on the POOLRAT backdoor used on the macOS build server, the malicious library inserted into 3CXDesktopApp updates, and the self-deleting second-stage payload delivered to macOS enterprise users. It describes POOLRAT as a lightweight C/C++ macOS backdoor capable of collecting system information, executing commands, securely deleting files, reading and writing files, and updating configuration. The material also documents C2 strings, YARA/XProtect-style detection logic, code-signing observations, and heuristic detection approaches for similar macOS supply-chain attacks.
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | visualstudiofactory.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | akamaitechcloudservices.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | officestoragebox.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msstorageboxes.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | globalkeystroke.com | 2021-02-18 | 2024-09-09 |
| DOMAIN | airbseeker.com | 2021-02-18 | 2024-09-09 |
| URL | https://sbmsa.wiki/blog/_insert | 2023-04-01 | 2024-01-01 |
| DOMAIN | sbmsa.wiki | 2023-04-01 | 2024-01-01 |
| HASH | 5555494424668e99d3173e03a74c868… | 2023-08-10 | 2023-10-05 |
| URL | https://globalkeystroke.com/poc… | 2023-08-10 | 2023-10-05 |
| URL | https://airbseeker.com/rediret.… | 2023-08-10 | 2023-10-05 |
| URL | https://www.woodmate.it/adminis… | 2023-08-10 | 2023-10-05 |
| URL | https://akamaitechcloudservices… | 2023-06-29 | 2023-10-05 |
| HASH | 451c23709ecd5a8461ad060f6346930c | 2023-04-20 | 2023-10-05 |
| HASH | 55554944839216049d683075bc3f5a8… | 2023-04-01 | 2023-10-05 |
| YARA | MTI_Hunting_POOLRAT | 2023-08-10 | 2023-08-10 |
| DOMAIN | taomm.org | 2023-08-10 | 2023-08-10 |