Site icon Sophos News

Update 2: 3CX users under DLL-sideloading attack: What you need to know

Sophos X-Ops is tracking a developing situation concerning a seeming supply-chain attack, possibly undertaken by a nation-state-related group. This page provides an overview of the situation, a threat analysis, information for hunters, and information on detection protection.

We will update this page as events and understanding develop, including our threat and detection guidance.

[Latest version published 02:00 UTC 06-April-23, adding detections; included analysis notes re infostealer seeking config.json in the 3CX application and re three files dropped by libffmpeg.dylib; adjusted language re OSX/PWS-CMV detection

23:00 UTC 01-April-23, adding Troj/Steal-DLG to Detection Protections/Static detection, two more queries customers may use to determine their exposure to the attack, new analysis of an emergent line of inquiry concerning a timestamp mechanism in the malicious code, and information on analysis of other Electron-built apps using ffmpeg.dll

23:30 UTC 30-March-23, adding detail on affected versions, misuse of ffmpeg.dll, removal of malicious repository, comparison of PE shellcode loader to that used by Lazarus threat group, more queries customers may use to determine their exposure to the attack, and various additional detections]

Overview

The affected software is 3CX – a legitimate software-based PBX phone system available on Windows, MacOS, Linux, Android, and iOS. Some Windows and MacOS versions of the application have been abused by the threat actor to add an installer that communicates with various command-and-control (C2) servers.

The software is a digitally signed version of the softphone desktop client for both Windows and MacOS, which includes a malicious payload. According to 3CX, their Update 7 for Windows, version numbers 18.12.407 and 18.12.416, and Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 and 18.12.416, are affected. The most common post-exploitation event we have observed to date is the presence of an infostealer that targets the browser(s) on a compromised system. At this writing, 3CX has deprecated the affected versions of the Windows application.

At present, the only platforms confirmed by our customer data to be affected are Windows and MacOS, which is in agreement with 3CX’s information on affected platforms. According to information on their support forum, Android and iOS versions of the software are not believed to be affected.

NIST tracks this issue as CVE-2023-29059.

Threat analysis

On March 22, users of 3CX began discussion of potential false-positive detections of 3CXDesktopApp by their endpoint security agents.

Figure 1: The update process at the moment the malicious version drops

Sophos MDR first identified malicious activity directed at its own customers and stemming from 3CXDesktopApp on March 29, 2023. Additionally, Sophos MDR has observed the campaign leveraging a public file storage to host encoded malware. This repository has been in use since December 8, 2022; after news of the compromise spread widely on March 29, the repository was taken down.

The attack revolves around a DLL sideloading scenario, one with a remarkable number of components involved. This is likely to ensure that customers were able to use the 3CX desktop package without noticing anything unusual about the affected package. We have identified three crucial components:

Figure 2 presents a high-level look at the attack flow as it works in Windows; there are some minor variations in the later steps with the MacOS version.

Figure 2: A high-level view of the attack flow

The file ffmpeg.dll contains an embedded URL which is used to retrieve a malicious encoded .ico payload from GitHub file storage at https[:]//raw.githubusercontent.com/IconStorages/images/main/ — though, again, once news of the compromise spread widely, this repository was taken down.

We saw several variations on the ffmpeg.dll file, including one that was signed by 3CX’s own certificate; these appear to be maliciously patched versions of the legitimate ffmpeg.dll. In a statement on Thursday, the team responsible for ffmpeg’s source code took pains to distance their work from the 3CX compromise.

Figure 3: When ffmpeg stepped onto Twitter to defend its code

In a normal DLL sideloading scenario, the malicious loader (ffmpeg.dll) would replace the clean dependency; its only function would be to queue up the payload. However, in this case, that loader is also entirely functional, as it would normally be in the 3CX product – instead, there’s an additional payload inserted at the DllMain function. Appending malicious code in this fashion adds bulk, but may have lowered suspicions – the abused 3CX application functions as expected, even as the Trojan addresses reached out to the C2 beacon.

As part of our analysis, we also did a comparison of the ffmpeg.dll in 3CX with the same file in other Electron apps. Our analysis has shown only the 3CX ffmpeg.dll contains the malicious code. We conclude from this that this compromise does not affect other Electron apps — only the 3CX ffmpeg.dll.

Figure 4: What the affected 3CX developers and customers experienced

Allowing the abused software to remain functional is not dissimilar to other DLL sideloading cases we’ve seen, but this campaign is slightly different even from the current rash of DLL sideloading cases we’ve seen. In particular, we’ve noted that the PE shellcode loader in use is unique in our experience. Previous to this, we’ve only seen it in incidents attributed to the Lazarus group; the code in this incident is a byte-to-byte match to those previous samples.

We observed that the stealer component also checks for the presence of a specific file, \3CXDesktopApp\config.json. It is not yet clear why it checks for this file.

On the MacOS side, we note three files dropped by the malicious libffmpeg.dylib as notable traces:

TimeStamp Check Analysis

As part of our ongoing investigation, we found a timestamp mechanism in the code as shown below.

Figure 5: A timestamp mechanism in the code

Looking at this, we can see a while loop that calls the check_timestamp function and receives a 64-bit integer value from GetSystemTimeAsFileTime Api call. The results of check_timestamp are evaluated against “v6,” a variable which holds the value coming from cbData.  cbData is collected from the “manifest” file as shown below.

Figure 6: Collecting the cbData

“manifest” is a file that the malware writes to the system under the “3cxdesktopapp” folder during the initial stage of the infection. When the manifest is created, a dword value is written based on the current timestamp, with additional arithmetic operations performed on it.

The above code checks if manifest exists and is writeable; if so, then it adds 7 days + the current system timestamp + rand() generated number % 21 days. In other words, the value can be up to a total of 28 days ahead. Otherwise, it just reads the existing value from the manifest file.

So long as the results of check_timestamp are less than v6 (the timestamp value from manifest), the loop continues to sleep. Only once the results of check_timestamp are greater than the manifest timestamp will the code proceed and generate the HTTP request to connect with GitHub, which initiates the payload download.

Hunting information

Determining impact with Sophos XDR

1. Determining whether hosts have communicated with threat actor infrastructure: Data Lake

The below query will search for hosts that have communicated with the various known URLs in use by this campaign.

SELECT
  meta_hostname,
  sophos_pids,
  domain,
  clean_urls,
  source_ips,
  destination_ips,
  timestamps,
  ingestion_timestamp
FROM
  xdr_data
WHERE
  query_name = 'sophos_urls_windows'
  AND
    (LOWER(domain) LIKE '%akamaicontainer[.]com%'
    OR LOWER(domain) LIKE '%akamaitechcloudservices[.]com%'
    OR LOWER(domain) LIKE '%azuredeploystore[.]com%'
    OR LOWER(domain) LIKE '%azureonlinecloud[.]com%'
    OR LOWER(domain) LIKE '%azureonlinestorage[.]com%'
    OR LOWER(domain) LIKE '%dunamistrd[.]com%'
    OR LOWER(domain) LIKE '%glcloudservice[.]com%'
    OR LOWER(domain) LIKE '%journalide[.]org%'
    OR LOWER(domain) LIKE '%msedgepackageinfo[.]com%'
    OR LOWER(domain) LIKE '%msstorageazure[.]com%'
    OR LOWER(domain) LIKE '%msstorageboxes[.]com%'
    OR LOWER(domain) LIKE '%officeaddons[.]com%'
    OR LOWER(domain) LIKE '%officestoragebox[.]com%'
    OR LOWER(domain) LIKE '%pbxcloudeservices[.]com%'
    OR LOWER(domain) LIKE '%pbxphonenetwork[.]com%'
    OR LOWER(domain) LIKE '%pbxsources[.]com%'
    OR LOWER(domain) LIKE '%qwepoi123098[.]com%'
    OR LOWER(domain) LIKE '%sbmsa[.]wiki%'
    OR LOWER(domain) LIKE '%sourceslabs[.]com%'
    OR LOWER(domain) LIKE '%visualstudiofactory[.]com%'
    OR LOWER(domain) LIKE '%zacharryblogs[.]com%'
    OR (LOWER(domain) LIKE '%raw.githubusercontent[.]com%' AND LOWER(clean_urls) LIKE '%/iconstorages/images/main/%'))

2. Determining whether hosts have interacted with malicious files

SELECT f.filename, f.directory, ROUND((f.size * 10e-7),2) AS size_MB, h.sha256, f.type, 
f.attributes, f.mode, 
datetime(f.btime,'unixepoch') AS file_created_time, 
datetime(f.atime,'unixepoch') AS file_last_access_time, 
datetime(f.mtime,'unixepoch') AS file_last_modified_time, 
datetime(f.ctime,'unixepoch') AS file_last_status_change_time, 
f.uid, u.username AS file_owner 
FROM file f 
LEFT JOIN users u ON f.uid = u.uid 
LEFT JOIN groups g ON f.gid = g.gid 
LEFT JOIN hash h ON f.path = h.path 
WHERE f.path like 'c:\users\%\appdata\local\programs\3cxdesktopapp\app\%' 
AND (f.filename = 'ffmpeg.dll' 
OR f.filename LIKE 'd3dcompiler%.dll' 
OR f.filename = 'trololo.dll') 
AND (h.sha256 = 'c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02' 
OR h.sha256 = '11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03' 
OR h.sha256 = '7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896' 
OR h.sha256 = 'aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973')

3. Determining whether hosts are running affected versions

 

SELECT
    MIN(ingestion_timestamp) AS first_seen,
    MAX(ingestion_timestamp) AS last_seen,
    meta_hostname,
    ARRAY_JOIN(ARRAY_AGG(DISTINCT(meta_hostname)), ', ') AS hosts,
    ARRAY_JOIN(ARRAY_AGG(sophos_pid),', ') AS spids,
    LOWER(name) AS name,
    sha256,
    company_name,
    file_description,
    file_size,
    file_version,
    original_filename
FROM
    xdr_data
WHERE
   query_name = 'running_processes_windows_sophos'
    AND (
        LOWER(name) = '3cxdesktopapp.exe'
        OR LOWER(original_filename) = '3cxdesktopapp.exe'
        OR LOWER(product_name) ='3cx desktop app')
GROUP by
    meta_hostname,
    LOWER(name),
    sha256,
    company_name,
    file_description,
    file_size,
    file_version,
    original_filename
ORDER BY
    meta_hostname desc

4. Determining whether hosts have communicated with threat actor infrastructure, for MacOS

 

SELECT 
    meta_hostname,
    date_format(from_unixtime(time), '%Y-%m-%d %H:%i:%s') AS date_time,
    ingestion_timestamp
    pid,
    name,
    cmdline,
    path,
    parent,
    gid,
    uid,
    euid,
    egid,
    sha1,
    sha256
FROM 
    xdr_data
WHERE 
    query_name = 'running_processes_osx_events'
    AND LOWER(cmdline) LIKE '%sh -c%'
    AND LOWER(cmdline) LIKE '%/3cx desktop app/updateagent%'

5. Enabling firewall customers to identify activity to malicious domains

SELECT timestamp, 
    log_component, 
    log_subtype, 
    user_name, 
    user_group, 
    app_name, 
    src_ip, 
    src_port, 
    protocol, 
    dst_ip, 
    dst_port, 
    http_category, 
    url, 
    domain, 
    http_user_agent, 
    http_status 

FROM 
    xgfw_data 

WHERE 
    LOWER(log_component) = 'http' 
        AND (LOWER(domain) = 'akamaicontainer.com'           
        OR LOWER(domain) = 'akamaitechcloudservices.com'           
        OR LOWER(domain) = 'azuredeploystore.com'           
        OR LOWER(domain) = 'azureonlinecloud.com'           
        OR LOWER(domain) = 'azureonlinestorage.com'           
        OR LOWER(domain) = 'dunamistrd.com'           
        OR LOWER(domain) = 'glcloudservice.com'           
        OR LOWER(domain) = 'journalide.org'           
        OR LOWER(domain) = 'msedgepackageinfo.com'           
        OR LOWER(domain) = 'msstorageazure.com'           
        OR LOWER(domain) = 'msstorageboxes.com'           
        OR LOWER(domain) = 'officeaddons.com'           
        OR LOWER(domain) = 'officestoragebox.com'           
        OR LOWER(domain) = 'pbxcloudeservices.com'           
        OR LOWER(domain) = 'pbxphonenetwork.com'           
        OR LOWER(domain) = 'pbxsources.com'           
        OR LOWER(domain) = 'qwepoi123098.com'           
        OR LOWER(domain) = 'sbmsa.wiki'           
        OR LOWER(domain) = 'sourceslabs.com'           
        OR LOWER(domain) = 'visualstudiofactory.com'           
        OR LOWER(domain) = 'zacharryblogs.com'           
        OR (LOWER(domain) LIKE '%raw.githubusercontent.com%' 
        AND LOWER(url) LIKE '%/iconstorages/images/main/%'))

 

6. Enabling firewall customers to identify user agents of compromised version of 3cx

SELECT timestamp, 
    log_component, 
    log_subtype, 
    user_name, 
    user_group, 
    app_name, 
    src_ip, 
    src_port, 
    protocol, 
    dst_ip, 
    dst_port, 
    http_category, 
    url, 
    domain, 
    http_user_agent, 
    http_status 

FROM xgfw_data 

WHERE 
    LOWER(log_component) = 'http' 
    AND   
        (       LOWER(http_user_agent) LIKE '%3cxdesktopapp/18.12.402%'       
            OR LOWER(http_user_agent) LIKE '%3cxdesktopapp/18.12.416%'       
            OR LOWER(http_user_agent) LIKE '%3cxdesktopapp/18.12.407%'       
            OR LOWER(http_user_agent) LIKE '%3cxdesktopapp/18.11.1213%'       
            OR LOWER(http_user_agent) LIKE '%3cxdesktopapp/18.11.1197%'    )

We also recommend that users of 3CX’s software continue to monitor the company’s communications channels; they have a blog and also a support-and-information forum. As of March 30, the company was recommending that customers uninstall and reinstall the app, and suggested that they might also use the company’s browser-based PWA client while the situation was sorted out.

On March 31, 3CX noted that Google has invalidated the company’s previous signing certificate, which means both the originally infected MSI files plus files issued by 3CX earlier in the week using that certificate will be blocked, and issued a fresh one. 3CX at this writing is building entirely new MSI installers using the newly issued certificate. This applies to Windows only, as the company states they will not be rebuilding the Mac version of the desktop app yet while they focus on the Windows version (and on the security breach in general).

An updated list of IOCs for this attack is published on our GitHub.

Detection protection

SophosLabs has blocked the malicious domains and published the following detections:

Static detections:

Reputation detection:

Memory detection:

We have also blocked the list of known C2 domains associated with the threat and will continue to add to that list in the IOC file on our GitHub, as noted above. Finally, the two malicious versions of the ffmpeg.dll bundled in the affected 3CX application are flagged by their hashes as being of low reputation.

SophosLabs is actively investigating additional detection opportunities for activity stemming from this software. In addition, for customers of Sophos MDR, the MDR Detection Engineering team has a variety of behavioral detections in place that will detect follow up activity.

Exit mobile version