Introduction
On 22 March 2023 multiple AV and EDR products began identifying anomalous behavior originating from the main process for the 3CX desktop application (3CXDesktopApp.exe), a legitimate PBX application used by customers across the globe. Behavior in many cases was interpreted as a false positive and exceptions to EDR and AV products were set by many organizations.
Figure 1. Unfortunately many instances of this behavior were incorrectly flagged as false positives resulting in customers setting poorly scoped exceptions[1].
Almost a week later additional behavior was observed on affected endpoints. This was the start of a large scale cyber-attack that originated form a supply chain attack on 3CX and is reported to be associated with a DPNK based threat actor[2]. Malware associated with this campaign is being tracked by Sentinel One as ‘SmoothOperator’ and Microsoft as ‘SamScissors’. All new installers for the electron based 3CX Desktop App contained back doored versions of key dlls and any existing 3CX Desktop Apps updated over this time period were updated with the back doored versions. Once installed the application would execute the trojanized dlls which would result in the execution of a series of loaders. The loaders had three stages which culminates in the installation of what appears to be infostealer malware. It is important to note the 7 day delay between initial installation of the back doored 3CX application and loading of the final payload. The attack diagram below more simply explains the infection chain for this campaign.
Figure 2. The following diagram illustrates the infection process following update of 3CX Desktop App software whilst compromised. For installs of the back doored software the infection process is the same however Updater.exe does not spawn.
Adversary infrastructure associated with this campaign has been removed so any network connections to the GitHub page hosting the final C2 addresses after ~0119h UTC 29 March 2023 can be considered ineffective. Successful network connections prior to this date should be investigated for potential infostealer activity.
FortiEDR detects and mitigates this campaign out-of-the-box and has effectively mitigated this attack ITW within customer environments prior to any known reporting on this threat thanks to its advanced detection capability. These detections are a mixture of behavior based detections (what a process/endpoint is doing) and signature based detection based on known atomic indicators (what a file or network connection is). This article will provide detail on security events generated as a result of this campaign and how additional FortiEDR telemetry through Threat Hunting can be used to identify potentially compromised hosts before final callback. This information can be used to identify endpoints still running the loaders to assist remediation.
Analysis
Installation
To analyze FortiEDR detections, an installer file () was executed in a test environment. On execution of the installer FortiEDR will generate a ‘Dynamic Code’ event as the 3CX Desktop application sets up a listening port on port 5566. This is related to standard operation of the executable and an exception for this rule can be safely set. In isolation this is NOT indicative of compromise.
Figure 3. FortiEDR detects installation of the 3CX Desktop App with a dynamic code exception event. This is a false positive for both the legitimate and the back doored application due to implementation of the 3CX software.
Once installed threat hunting can be used to identify any of the back doored dlls associated with this campaign. The malicious dlls employed as part of this campaign are now well known and the threat hunting query below will identify any activity associated with these files. Threat hunting data available within an environment is configurable but the default threat hunting profile (Inventory profile) will detect these files if a periodic file scan has been configured.
|
Filename |
SHA1 Hash |
Description |
|
ffmpeg.dll |
bf939c9c261d27ee7bb92325cc588624fca75429 |
First stage loader loaded by 3CXDesktopApp.exe |
|
ffmpeg.dll |
188754814b37927badc988b45b7c7f7d6b4c8dd3 |
First stage loader loaded by 3CXDesktopApp.exe |
|
d3dcompiler_47.dll |
20d554a80d759c50d6537dd7097fed84dd258b3e |
Second stage loader loaded by 3CXDesktopApp.exe |
Table 1. List of back doored dlls associated with this campaign
Figure 4. FortiEDR Threat Hunting data associated with loading of back doored dlls. The full query to check for this activity is in the Threat Hunting exception below.
Final C2 connection
The above dlls are only loaders for the final payload. To request the final payload, the final loader waits 7 days from installation and then retrieves an encoded ‘.ico’ file from GitHub that when decoded contains a list of domains to be used for C2. Once this has been retrieved the loader will download and reflectively the final payload. Once downloaded this final payload is reflectively loaded into memory directly. This behavior is detected and blocked by FortiEDR as an ‘Unmapped Executable’. In protect mode this behavior is blocked ending the attack chain and preventing further compromise. An example of the created security event is shown below in Figure 5.
Figure 5. FortiEDR security event created when the final payload reflectively loaded into the 3CXDesktopApp.exe process attempted to make a network connection to C2. This was blocked by FortiEDR.
The ‘Unmapped Executable’ rule is very rarely a false positive and should always be heavily scrutinized before applying an exception. False positives may occur as a result of interference by other security products like other AV solutions but this is rare.
Post-exploitation activity associated with this intrusion has not been directly observed by the FortiEDR research team or the FortiGuard Managed Detection and Response team in FortiEDR protected environments as observed intrusion prevented further activity. Reports from other vendors indicate the campaign progressed with the deployment of infostealer malware[3].
Signature based detection
As highlighted above, FortiEDR uses behavior based detections which were able to detect and block this supply chain attack without any prior knowledge. In addition to these advanced capabilities FortiEDR is also integrated with FortiGuard Threat Intelligence which allows for the automatic application of known threat signatures from the FortiGuard Threat Intelligence database. In the case of this campaign, the loading of any of the identified back doored libraries will be flagged as a malicious file event and will be identified as a ‘SmoothOperator’ Trojan as shown in Figure 6 below.
Figure 6. FortiEDR’s integration with FortiGuard threat intelligence identifies known signatures like those linked to SmoothOperator from this campaign.
Conclusion
This campaign is a robust example of a supply chain attack and highlights the importance of layered behavior based detections like those found in modern EDR solutions such as FortiEDR. Without granular layered detections, false positives can force customers to implement poorly scoped exceptions like those discussed in Figure 1 which can degrade the effectiveness of security solution investments. FortiEDR and FortiGuard MDR customers have been protected from this campaign however if additional expert advice is wanted or post-exploitation activity is suspected please contact the FortiGuard Incident Response team for assistance here: https://www.fortinet.com/solutions/enterprise-midsize-business/security-as-a-service/fortiguard-inci...
Threat Hunting
The following threat hunting queries can be used to detect historic activity associated with this campaign. Note that the appropriate Threat Hunting profiles need to have been in place at the time of detection and or scheduled inventory scans needed to be set for the data to be available.
The following threat hunting query will identify ‘File Detected’ events for executables matching the back doored stagers downloaded as part of a compromised 3CX install or update. These events will be generated with the default ‘Inventory Profile’ if an inventory scan was conducted at the time of infection. There are no FPs associated with this query.
Type:"File Detected" AND (Target.File.SHA1:"bf939c9c261d27ee7bb92325cc588624fca75429" OR Target.File.SHA1:"188754814b37927badc988b45b7c7f7d6b4c8dd3" OR Target.File.SHA1:"20d554a80d759c50d6537dd7097fed84dd258b3e")
The following threat hunting query will identify ‘Library Loaded’ events for executables with file hash matching the back doored stagers downloaded as part of a compromised 3CX install or update. There are no FPs associated with this query.
Type:"Library Loaded" AND (Target.Executable.File.SHA1:"bf939c9c261d27ee7bb92325cc588624fca75429" OR Target.Executable.File.SHA1:"188754814b37927badc988b45b7c7f7d6b4c8dd3" OR Target.Executable.File.SHA1:"20d554a80d759c50d6537dd7097fed84dd258b3e")
The following threat hunting query will identify ‘HTTP Request’ events for the known GitHub URL that previously hosted an encoded C2 domain list. There are no FPs associated with this query.
Type:"HTTP Request" AND URL:"http\:\/\/raw.githubusercontent.com\/IconStorages\/images\/main/icon13.ico"
MITRE ATT&CK
TA0001 – Initial Access
|
Technique ID |
Technique Description |
Observed Activity |
|
T1195 |
Supply Chain Compromise: Compromise Software Supply Chain |
Threat actors compromised 3CX supply chain so that all installers and updates included back doored components. |
TA0002 – Execution
|
Technique ID |
Technique Description |
Observed Activity |
|
T1204.002 |
User Execution: Malicious File |
This campaign required users to either download and install 3CX software via a compromised installer or to apply updates which would update existing legitimate software with a back doored version. |
TA0005 – Defense Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
T1574.002 |
Hijack Execution Flow: DLL Side-Loading |
The first stage loader associated with this intrusion is side-loaded. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1620 |
Reflective Code Loading |
The final loader associated with this intrusion reflectively loads its final payload into the hosting ‘3CXDesktopApp.exe’ process before attempting to contact GitHub to retrieve C2 domain listing. This is detected by FortiEDR as an ‘Unmapped Executable’. |
TA0011 – Command and Control
|
Technique ID |
Technique Description |
Observed Activity |
|
T1071.001 |
Application Layer Protocols: Web Protocols |
C2 communication was via web requests to multiple C2 domains. Final loader retrieve C2 list from GitHub via a web request. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1102.001 |
Web Service: Drop Dead Resolver |
The final payload reaches out to a drop dead resolver URL on GitHub that hosts an encoded list of C2 domains. This GitHub page was removed by GitHub on ~29 March 2023 and is no longer active. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1140 |
Deobfuscate/Decode Files or Information |
The C2 domain list hosted on GitHub was encoded and was decoded by the in-memory payload once retrieved. |
IOCs
FortiGuard Threat Intelligence maintains an up to date database of emerging threats such as this so all indicators are available to FortiEDR. Details of this threat intelligence can be found on the associated FortiGuard Outbreak page: https://www.fortiguard.com/outbreak-alert/3cx-supply-chain-attack
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
SmoothOperator C2 Domain |
akamaicontainer[.]com |
Domain |
Command and Control |
SmoothOperator final C2 domain |
22 Mar 23 |
|
SmoothOperator C2 Domain |
akamaitechcloudservices[.]com |
Domain |
Command and Control |
SmoothOperator final C2 domain |
22 Mar 23 |
|
SmoothOperator C2 Domain |
azuredeploystore[.]com |
Domain |
Command and Control |
SmoothOperator final C2 domain |
22 Mar 23 |
|
SmoothOperator C2 Domain |
azureonlinecloud[.]com |
Domain |
Command and Control |
SmoothOperator final C2 domain |
22 Mar 23 |
|
SmoothOperator C2 Domain |
azureonlinestorage[.]com |
Domain |
Command and Control |
SmoothOperator final C2 domain |
22 Mar 23 |
|
SmoothOperator C2 Domain |
dunamistrd[.]com |
Domain |
Command and Control |
SmoothOperator final C2 domain |
22 Mar 23 |
|
SmoothOperator C2 Domain |
glcloudservice[.]com |
Domain |
Command and Control |
SmoothOperator final C2 domain |
22 Mar 23 |
|
SmoothOperator C2 Domain |
journalide[.]org |
Domain |
Command and Control |
SmoothOperator final C2 domain |
22 Mar 23 |
|
SmoothOperator C2 Domain |
msedgepackageinfo[.]com |
Domain |
Command and Control |
SmoothOperator final C2 domain |
22 Mar 23 |
|
SmoothOperator C2 Domain |
msstorageazure[.]com |
Domain |
Command and Control |
SmoothOperator final C2 domain |
22 Mar 23 |
|
SmoothOperator C2 Domain |
msstorageboxes[.]com |
Domain |
Command and Control |
SmoothOperator final C2 domain |
22 Mar 23 |
|
SmoothOperator C2 Domain |
officeaddons[.]com |
Domain |
Command and Control |
SmoothOperator final C2 domain |
22 Mar 23 |
|
SmoothOperator C2 Domain |
officestoragebox[.]com |
Domain |
Command and Control |
SmoothOperator final C2 domain |
22 Mar 23 |
|
SmoothOperator C2 Domain |
pbxcloudeservices[.]com |
Domain |
Command and Control |
SmoothOperator final C2 domain |
22 Mar 23 |
|
SmoothOperator C2 Domain |
pbxphonenetwork[.]com |
Domain |
Command and Control |
SmoothOperator final C2 domain |
22 Mar 23 |
|
SmoothOperator C2 Domain |
pbxsources[.]com |
Domain |
Command and Control |
SmoothOperator final C2 domain |
22 Mar 23 |
|
SmoothOperator C2 Domain |
qwepoi123098[.]com |
Domain |
Command and Control |
SmoothOperator final C2 domain |
22 Mar 23 |
|
SmoothOperator C2 Domain |
sbmsa[.]wiki |
Domain |
Command and Control |
SmoothOperator final C2 domain |
22 Mar 23 |
|
SmoothOperator C2 Domain |
sourceslabs[.]com |
Domain |
Command and Control |
SmoothOperator final C2 domain |
22 Mar 23 |
|
SmoothOperator C2 Domain |
visualstudiofactory[.]com |
Domain |
Command and Control |
SmoothOperator final C2 domain |
22 Mar 23 |
|
SmoothOperator C2 Domain |
zacharryblogs[.]com |
Domain |
Command and Control |
SmoothOperator final C2 domain |
22 Mar 23 |
|
SmoothOperator C2 Domain |
raw.githubusercontent[.]com/IconStorages/images/main/icon13.ico |
Domain |
Installation |
URL hosting encoded final C2 domains. Has since been removed by GitHub. |
22 Mar 23 |
|
SmoothOperator Windows Installer |
6285ffb5f98d35cd98e78d48b63a05af6e4e4dea |
SHA1 hash |
Installation |
Back doored Windows installer |
22 Mar 23 |
|
SmoothOperator Windows Installer |
8433a94aedb6380ac8d4610af643fb0e5220c5cb |
SHA1 hash |
Installation |
Back doored Windows installer |
22 Mar 23 |
|
SmoothOperator MacOS Installer |
5d833bcc679db38a45111269e727ec58b75c8d31 |
SHA1 hash |
Installation |
Back doored MacOS installer |
22 Mar 23 |
|
SmoothOperator MacOS Installer |
f3487a1324f4c11b35504751a5527bc60eb95382 |
SHA1 hash |
Installation |
Back doored MacOS installer |
22 Mar 23 |
|
SmoothOperator Stage 1 loader |
bf939c9c261d27ee7bb92325cc588624fca75429 |
SHA1 hash |
Installation |
Back doored Windows dll. First stage. ‘ffmpeg.dll’ |
22 Mar 23 |
|
SmoothOperator Stage 1 loader |
188754814b37927badc988b45b7c7f7d6b4c8dd3 |
SHA1 hash |
Installation |
Back doored Windows dll. First stage. ‘ffmpeg.dll’ |
22 Mar 23 |
|
SmoothOperator Stage 2 loader |
20d554a80d759c50d6537dd7097fed84dd258b3e |
SHA1 hash |
Installation |
Back doored Windows dll. Second stage. ‘d3dcompiler_47.dll’ |
22 Mar 23 |
|
SmoothOperator MacOS cylib |
769383fc65d1386dd141c960c9970114547da0c2 |
SHA1 hash |
Installation |
Back doored MacOS dylib ‘libffmpeg.dylib’ |
22 Mar 23 |
[1] https://twitter.com/malwrhunterteam/status/1641213984744304644/photo/4
[2] https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
[3] https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/
