Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 44 IOCs • Published within a month
Threat Brief: 3CXDesktopApp Supply Chain Attack
2023-03-30 • Paloalto Networks •
https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/
Unit 42 described the 3CXDesktopApp incident as a supply-chain compromise in which malicious libraries were included in legitimate Windows MSI and macOS DMG installers downloaded from 3CX. On Windows, 3CXDesktopApp.exe loads ffmpeg.dll, which decrypts shellcode from d3dcompiler_47.dll using the RC4 key 3jB(2bsG#@c7 and then sleeps for a randomized 1-4 week period before contacting infrastructure. The malware retrieves icon files from the removed IconStorages GitHub repository and extracts C2 URLs such as officestoragebox[.]com/api/session, then can load a backdoor for additional malware. Unit 42 observed blocked shellcode activity across 127 Cortex XDR customers and noted broad exposure because 3CX applications were fingerprinted on hundreds of thousands of IP addresses worldwide.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | a64fa9f1c76457ecc58402142a8728c… | 2023-03-30 | 2024-12-27 |
| HASH | fee4f9dabc094df24d83ec1a8c4e4ff… | 2023-03-30 | 2024-12-27 |
| HASH | e6bbc33815b9f20b0cf832d7401dd89… | 2023-03-29 | 2024-12-27 |
| DOMAIN | visualstudiofactory.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | akamaitechcloudservices.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msedgepackageinfo.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msstorageazure.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | azureonlinestorage.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | zacharryblogs.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | officestoragebox.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | pbxphonenetwork.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | sourceslabs.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | officeaddons.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | glcloudservice.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | pbxcloudeservices.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | azuredeploystore.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | pbxsources.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msstorageboxes.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | journalide.org | 2023-03-29 | 2023-05-09 |
| HASH | aa4e398b3bd8645016d8090ffc77d15… | 2023-03-30 | 2023-05-02 |
| HASH | c485674ee63ec8d4e8fde9800788175… | 2023-03-30 | 2023-04-28 |
| HASH | d51a790d187439ce030cf763237e992… | 2023-03-30 | 2023-04-28 |
| HASH | e059c8c8b01d6f3af32257fc2b6fe18… | 2023-03-30 | 2023-04-28 |
| HASH | d0f1984b4fe896d0024533510ce22d7… | 2023-03-30 | 2023-04-28 |
| HASH | 7986bbaee8940da11ce089383521ab4… | 2023-03-30 | 2023-04-28 |
| HASH | 8c0b7d90f14c55d4f1d0f17e0242efd… | 2023-03-30 | 2023-04-28 |
| HASH | 4e08e4ffc699e0a1de4a5225a0b4920… | 2023-03-30 | 2023-04-28 |
| HASH | f1bf4078141d7ccb4f82e3f4f1c3571… | 2023-03-30 | 2023-04-28 |
| HASH | d459aa0a63140ccc647e9026bfd1fcc… | 2023-03-30 | 2023-04-28 |
| HASH | 268d4e399dbbb42ee1cd64d0da72c57… | 2023-03-30 | 2023-04-28 |
| HASH | c13d49ed325dec9551906bafb6de9ec… | 2023-03-30 | 2023-04-28 |
| HASH | f47c883f59a4802514c57680de3f41f… | 2023-03-30 | 2023-04-28 |
| HASH | 2487b4e3c950d56fb15316245b3c51f… | 2023-03-30 | 2023-04-28 |
| HASH | 11be1803e2e307b647a8a7e02d12833… | 2023-03-30 | 2023-04-28 |
| HASH | c62dce8a77d777774e059cf1720d77c… | 2023-03-30 | 2023-04-28 |
| HASH | 2c9957ea04d033d68b769f333a48e22… | 2023-03-30 | 2023-04-28 |
| HASH | a541e5fc421c358e0a2b07bf4771e89… | 2023-03-30 | 2023-04-28 |
| HASH | 5407cda7d3a75e7b1e030b1f33337a5… | 2023-03-29 | 2023-04-28 |
| HASH | 59e1edf4d82fae4978e97512b0331b7… | 2023-03-29 | 2023-04-28 |
| HASH | aa124a4b4df12b34e74ee7f6c683b2e… | 2023-03-29 | 2023-04-28 |
| DOMAIN | qwepoi123098.com | 2023-03-29 | 2023-04-28 |
| DOMAIN | akamaicontainer.com | 2023-03-29 | 2023-04-28 |
| DOMAIN | dunamistrd.com | 2023-03-29 | 2023-04-28 |
| DOMAIN | azureonlinecloud.com | 2023-03-29 | 2023-04-28 |
| URL | https://azureonlinestorage.com/… | 2023-03-30 | 2023-04-05 |
| URL | https://akamaitechcloudservices… | 2023-03-30 | 2023-04-05 |
| URL | https://pbxsources.com/exchange | 2023-03-30 | 2023-04-05 |
| URL | https://zacharryblogs.com/feed | 2023-03-30 | 2023-04-05 |
| URL | https://msstorageboxes.com/offi… | 2023-03-30 | 2023-04-05 |
| URL | https://msedgepackageinfo.com/m… | 2023-03-30 | 2023-04-05 |
| URL | https://azuredeploystore.com/cl… | 2023-03-30 | 2023-04-05 |
| URL | https://glcloudservice.com/v1/c… | 2023-03-30 | 2023-04-05 |
| URL | https://visualstudiofactory.com… | 2023-03-30 | 2023-04-05 |
| URL | https://officeaddons.com/techno… | 2023-03-30 | 2023-04-05 |
| URL | https://pbxcloudeservices.com/p… | 2023-03-30 | 2023-04-05 |
| URL | https://sourceslabs.com/downloa… | 2023-03-30 | 2023-04-05 |
| URL | https://msstorageazure.com/wind… | 2023-03-30 | 2023-04-05 |
| URL | https://officestoragebox.com/ap… | 2023-03-30 | 2023-04-05 |
| HASH | 7c55c3dfa373b6b342390938029cb76… | 2023-03-30 | 2023-03-31 |
Related Reports
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 44 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 39 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 38 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 33 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 33 IOCs • Published within a week