Backdoored 3CXDesktopApp Installer Used in Active Threat Campaign

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/03/30/backdoored-3cxdesktopapp-installer-used-in-active-threat-campaign/

Backdoored 3CXDesktopApp Installer Used in Active Threat Campaign

Emergent threats evolve quickly. We will update this blog with new information as it comes to light and we are able to verify it. Erick Galinkin, Ted Samuels, Zach Dayton, Caitlin Condon, Stephen Fewer, and Christiaan Beek all contributed to this blog.

On Wednesday, March 29, 2023, multiple security firms issued warnings about malicious activity coming from a legitimate, signed binary from communications technology company 3CX. The binary, 3CXDesktopApp, is popular video-conferencing software available for download on all major platforms. Several analyses have attributed the threat campaign to state-sponsored threat actors.

Rapid7’s threat research teams analyzed the 3CXDesktopApp Windows binary and confirmed that the 3CX MSI installer drops the following files: 3CXDesktopApp.exe, a benign file that loads the backdoored ffmpeg.dll, which reads an RC4-encrypted blob after the hexadecimal demarcation of fe ed fa ce in d3dcompiler.dll. The RC4-encrypted blob in d3dcompiler.dll is executable code that is reflectively loaded and retrieves .ico files with appended Base64-encoded strings from GitHub. The encoded strings appear to be command-and-control (C2) communications. There is a non-exhaustive list of indicators of compromise (IOCs) at the end of this blog.

Trending
Three Weird 90s Computer Mice: Burgers, Corvettes, and Chaos

Rapid7 reached out to GitHub’s security team the evening of March 29 about the GitHub repository being used as adversary infrastructure in this campaign. As of 9:40 PM ET, the malicious user has been suspended and the repository is no longer available.

Rapid7 Managed Detection and Response (MDR) has observed the backdoored 3CX installer and components in several customer environments as of March 29, 2023. Rapid7 MDR is in contact with customers that we believe may be impacted.

Mitigation Guidance

Official guidance from 3CX confirms that the Windows Electron client running update 7 is affected. However, security firm CrowdStrike indicated in a Reddit thread on March 29 that malicious activity has been observed on both Windows and Mac. Out of an abundance of caution, a conservative mitigation strategy would be to uninstall 3CXDesktopApp on all platforms and remove any artifacts left behind. Users should retroactively hunt for indicators of compromise and block known-bad domains. There is a non-exhaustive list of known-bad domains and malicious file hashes at the end of this blog.

3CX has a browser-based Progressive Web App (PWA) that does not require the user to download an executable file. Their CEO has suggested users leverage this PWA for the time being instead of downloadable clients.

Rapid7 customers

The following new rules have been added for Rapid7 InsightIDR and Managed Detection & Response (MDR) customers and will alert on known-bad hashes and file versions of the backdoored executable, as well as known-bad domains in WEB_PROXY and DNS logs:

  • Suspicious Web Request – 3CX Desktop Supply Chain Compromise
  • Suspicious DNS Request – 3CX Desktop Supply Chain Compromise
  • Suspicious Process – 3CX Desktop Supply Chain Compromise

InsightVM and Nexpose customers can use Query Builder or a Filtered Asset Search to find assets in their environment with 3CX installed using Software Name contains 3CX Desktop App.

A Velociraptor artifact is available here.

Indicators of compromise

A non-exhaustive list of known-bad domains is below. We advise blocking these immediately:

akamaicontainer[.]com
akamaitechcloudservices[.]com
azuredeploystore[.]com
azureonlinecloud[.]com
azureonlinestorage[.]com
convieneonline[.]com
dunamistrd[.]com
glcloudservice.[.]
journalide[.]org
msedgepackageinfo[.]com
msstorageazure[.]com
msstorageboxes[.]com
officeaddons[.]com
officestoragebox[.]com
pbxcloudeservices[.]com
pbxphonenetwork[.]com
pbxsources[.]com
qwepoi123098[.]com
sbmsa[.]wiki
sourceslabs[.]com
Soyoungjun[.]com
visualstudiofactory[.]com
zacharryblogs[.]com

More granular URLs our team has decrypted from C2 communications include:

hxxps[://]akamaitechcloudservices[.]com/v2/storage
hxxps[://]azuredeploystore[.]com/cloud/services
hxxps[://]azureonlinestorage[.]com/azure/storage
hxxps[://]glcloudservice[.]com/v1/console
hxxps[://]msedgepackageinfo[.]com/microsoft-edge
hxxps[://]msedgeupdate[.]net/Windows
hxxps[://]msstorageazure[.]com/window
hxxps[://]msstorageboxes[.]com/office
hxxps[://]officeaddons[.]com/technologies
hxxps[://]officestoragebox[.]com/api/session
hxxps[://]pbxcloudeservices[.]com/phonesystem
hxxps[://]pbxphonenetwork[.]com/voip
hxxps[://]pbxsources[.]com/exchange
hxxps[://]sourceslabs[.]com/downloads
hxxps[://]visualstudiofactory[.]com/workload
hxxps[://]www[.]3cx[.]com/blog/event-trainings/
hxxps[://]zacharryblogs[.]com/feed

File hashes:

Compromised MSI: aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868 

3CXDesktopApp.exe: fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405
ffmpeg.dll: 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
d3dcompiler_47.dll: 11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03

The following file hashes have been reported as related and malicious by the community but not independently verified by Rapid7 analysts:

dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc
92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61
b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb