Update 2: 3CX users under DLL-sideloading attack: What you need to know

Sophos X-Ops is tracking a developing situation concerning a seeming supply-chain attack, possibly undertaken by a nation-state-related group. This page provides an overview of the situation, a threat analysis, information for hunters, and information on detection protection.

We will update this page as events and understanding develop, including our threat and detection guidance.

[Latest version published 3:30pm PDT 30-March-23, adding detail on affected versions, misuse of ffmpeg.dll, removal of malicious repository, comparison of PE shellcode loader to that used by Lazarus threat group, three more queries customers may use to determine their exposure to the attack, and various additional detections]

Overview

The affected software is 3CX – a legitimate software-based PBX phone system available on Windows, MacOS, Linux, Android, and iOS. Some Windows and MacOS versions of the application have been abused by the threat actor to add an installer that communicates with various command-and-control (C2) servers.

The software is a digitally signed version of the softphone desktop client for both Windows and MacOS, which includes a malicious payload. According to 3CX, their Update 7 for Windows, version numbers 18.12.407 and 18.12.416, and Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 and 18.12.416, are affected. The most common post-exploitation event we have observed to date is the presence of an infostealer that targets the browser(s) on a compromised system. At this writing, 3CX has deprecated the affected versions of the Windows application.

At present, the only platforms confirmed by our customer data to be affected are Windows and MacOS, which is in agreement with 3CX’s information on affected platforms. According to information on their support forum, Android and iOS versions of the software are not believed to be affected.

Threat analysis

On March 22, users of 3CX began discussion of potential false-positive detections of 3CXDesktopApp by their endpoint security agents.

Figure 1: The update process at the moment the malicious version drops

Sophos MDR first identified malicious activity directed at its own customers and stemming from 3CXDesktopApp on March 29, 2023. Additionally, Sophos MDR has observed the campaign leveraging a public file storage to host encoded malware. This repository has been in use since December 8, 2022; after news of the compromise spread widely on March 29, the repository was taken down.

The attack revolves around a DLL sideloading scenario, one with a remarkable number of components involved. This is likely to ensure that customers were able to use the 3CX desktop package without noticing anything unusual about the affected package. We have identified three crucial components:

3CXDesktopApp.exe, the clean loader
d3dcompiler_47.dll, a DLL with an appended encrypted payload
ffmpeg.dll, a Trojanized loader

Figure 2 presents a high-level look at the attack flow as it works in Windows; there are some minor variations in the later steps with the MacOS version.

Figure 2: A high-level view of the attack flow

The file ffmpeg.dll contains an embedded URL which retrieved a malicious encoded .ico payload from GitHub file storage at https[:]//raw.githubusercontent.com/IconStorages/images/main/ — though, again, once news of the compromise spread widely, this repository was taken down.

We saw several variations on the ffmpeg.dll file, including one that was signed by 3CX’s own certificate; these appear to be maliciously patched versions of the legitimate ffmpeg.dll. In a statement on Thursday, the team responsible for ffmpeg’s source code took pains to distance their work from the 3CX compromise.

Figure 3: When ffmpeg stepped onto Twitter to defend its code

In a normal DLL sideloading scenario, the malicious loader (ffmpeg.dll) would replace the clean dependency; its only function would be to queue up the payload. However, in this case, that loader is also entirely functional, as it would normally be in the 3CX product – instead, there’s an additional payload inserted at the DllMain function. This adds bulk, but may have lowered suspicions – the abused 3CX application functions as expected, even as the Trojan addresses reached out to the C2 beacon.

Figure 4: What the affected 3CX developers and customers experienced

Allowing the abused software to remain functional is not dissimilar to other DLL sideloading cases we’ve seen, but this campaign is slightly different even from the current rash of DLL sideloading cases we’ve seen. In particular, we’ve noted that the PE shellcode loader in use is unique in our experience. Previous to this, we’ve only seen it in incidents attributed to the Lazarus group; the code in this incident is a byte-to-byte match to those previous samples.

Hunting information

Determining impact with Sophos XDR

1. Determining whether hosts have communicated with threat actor infrastructure: Data Lake

The below query will search for hosts that have communicated with the various known URLs in use by this campaign.

SELECT
meta_hostname,
sophos_pids,
domain,
clean_urls,
source_ips,
destination_ips,
timestamps,
ingestion_timestamp
FROM
xdr_data
WHERE
query_name = ‘sophos_urls_windows’
AND
(LOWER(domain) LIKE ‘%akamaicontainer[.]com%’
OR LOWER(domain) LIKE ‘%akamaitechcloudservices[.]com%’
OR LOWER(domain) LIKE ‘%azuredeploystore[.]com%’
OR LOWER(domain) LIKE ‘%azureonlinecloud[.]com%’
OR LOWER(domain) LIKE ‘%azureonlinestorage[.]com%’
OR LOWER(domain) LIKE ‘%dunamistrd[.]com%’
OR LOWER(domain) LIKE ‘%glcloudservice[.]com%’
OR LOWER(domain) LIKE ‘%journalide[.]org%’
OR LOWER(domain) LIKE ‘%msedgepackageinfo[.]com%’
OR LOWER(domain) LIKE ‘%msstorageazure[.]com%’
OR LOWER(domain) LIKE ‘%msstorageboxes[.]com%’
OR LOWER(domain) LIKE ‘%officeaddons[.]com%’
OR LOWER(domain) LIKE ‘%officestoragebox[.]com%’
OR LOWER(domain) LIKE ‘%pbxcloudeservices[.]com%’
OR LOWER(domain) LIKE ‘%pbxphonenetwork[.]com%’
OR LOWER(domain) LIKE ‘%pbxsources[.]com%’
OR LOWER(domain) LIKE ‘%qwepoi123098[.]com%’
OR LOWER(domain) LIKE ‘%sbmsa[.]wiki%’
OR LOWER(domain) LIKE ‘%sourceslabs[.]com%’
OR LOWER(domain) LIKE ‘%visualstudiofactory[.]com%’
OR LOWER(domain) LIKE ‘%zacharryblogs[.]com%’
OR (LOWER(domain) LIKE ‘%raw.githubusercontent[.]com%’ AND LOWER(clean_urls) LIKE ‘%/iconstorages/images/main/%’))

2. Determining whether hosts have interacted with malicious files

SELECT f.filename, f.directory, ROUND((f.size * 10e-7),2) AS size_MB, h.sha256, f.type,
f.attributes, f.mode,
datetime(f.btime,’unixepoch’) AS file_created_time,
datetime(f.atime,’unixepoch’) AS file_last_access_time,
datetime(f.mtime,’unixepoch’) AS file_last_modified_time,
datetime(f.ctime,’unixepoch’) AS file_last_status_change_time,
f.uid, u.username AS file_owner
FROM file f
LEFT JOIN users u ON f.uid = u.uid
LEFT JOIN groups g ON f.gid = g.gid
LEFT JOIN hash h ON f.path = h.path
WHERE f.path like ‘c:users%appdatalocalprograms3cxdesktopappapp%’
AND (f.filename = ‘ffmpeg.dll’
OR f.filename LIKE ‘d3dcompiler%.dll’
OR f.filename = ‘trololo.dll’)
AND (h.sha256 = ‘c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02′
OR h.sha256 = ’11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03’
OR h.sha256 = ‘7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896’
OR h.sha256 = ‘aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973’)

3. Determining whether hosts are running affected versions

SELECT
MIN(ingestion_timestamp) AS first_seen,
MAX(ingestion_timestamp) AS last_seen,
meta_hostname,
ARRAY_JOIN(ARRAY_AGG(DISTINCT(meta_hostname)), ‘, ‘) AS hosts,
ARRAY_JOIN(ARRAY_AGG(sophos_pid),’, ‘) AS spids,
LOWER(name) AS name,
sha256,
company_name,
file_description,
file_size,
file_version,
original_filename
FROM
xdr_data
WHERE
query_name = ‘running_processes_windows_sophos’
AND (
LOWER(name) = ‘3cxdesktopapp.exe’
OR LOWER(original_filename) = ‘3cxdesktopapp.exe’
OR LOWER(product_name) =’3cx desktop app’)
GROUP by
meta_hostname,
LOWER(name),
sha256,
company_name,
file_description,
file_size,
file_version,
original_filename
ORDER BY
meta_hostname desc

4. Determining whether hosts have communicated with threat actor infrastructure, for MacOS

SELECT 
    meta_hostname,
    date_format(from_unixtime(time), ‘%Y-%m-%d %H:%i:%s’) AS date_time,
    ingestion_timestamp
    pid,
    name,
    cmdline,
    path,
    parent,
    gid,
    uid,
    euid,
    egid,
    sha1,
    sha256
FROM 
    xdr_data
WHERE 
    query_name = ‘running_processes_osx_events’
    AND LOWER(cmdline) LIKE ‘%sh -c%’
    AND LOWER(cmdline) LIKE ‘%/3cx desktop app/updateagent%’

We also recommend that users of 3CX’s software continue to monitor the company’s communications channels; they have a blog and also a support-and-information forum. As of March 30, the company was recommending that customers uninstall and reinstall the app, and suggested that they might also use the company’s browser-based PWA client while the situation was sorted out.

An updated list of IOCs for this attack is published on our GitHub.

Detection protection

SophosLabs has blocked the malicious domains and published the following detections:

Static detections:

Troj/Loader-AF (Trojanized ffmpeg.dll)
Troj/Mdrop-JTQ (installers)
OSX/Mdrop-JTR (installers)
OSX/Loader-AG (Trojanized ffmpeg.dll)

Reputation detection:

Mal/Generic-R / Mal/Generic-S (d3dcompiler with appended shellcode)

Memory detection:

Mem/Loader-AH

We have also blocked the list of known C2 domains associated with the threat and will continue to add to that list in the IOC file on our GitHub, as noted above. Finally, the two malicious versions of the ffmpeg.dll bundled in the affected 3CXapplication are flagged by their hashes as being of low reputation.

SophosLabs is actively investigating additional detection opportunities for activity stemming from this software. In addition, for customers of Sophos MDR, the MDR Detection Engineering team has a variety of behavioral detections in place that will detect follow up activity.

Latest Posts