SentinelOne details a multi-stage supply-chain campaign that trojanizes the 3CXDesktopApp, loading shellcode and pulling ICO data from GitHub to deliver a 3rd-stage infostealer DLL. The operation also extends to macOS with separate stages (libffmpeg.dylib and UpdateAgent) and a backdoor linked to POOLRAT, with a forged code-signing certificate used to sign binaries. Hashtags: #SmoothOperator #3CXDesktopApp #POOLRAT #SIMPLESEA #IconStorages
Keypoints
- SentinelOne observed a spike in behavioral detections for the 3CXDesktopApp, with automated blocking and quarantine of trojanized installers.
- The malicious installer uses a multi-stage chain: shellcode loads a DLL, which loads further payloads from a GitHub ICO repository, and ultimately retrieves a 3rd-stage infostealer DLL.
- A code signing certificate was used to sign the trojanized binaries, indicating an additional level of trust forged by the attackers.
- The macOS component includes a trojanized libffmpeg.dylib and a second-stage UpdateAgent, with Apple notarization later revoked for the trojanized macOS components; a POOLRAT backdoor is also involved on macOS.
- The 2nd macOS stage (UpdateAgent) collects 3CX installation account details and sends them to a hardcoded attacker server, without persistence in that stage.
- IOC updates and macOS indicators were added through March 30, 2023, including a list of URIs and SHA-1 hashes; attribution remains uncertain, with infrastructure traced back to February 2022 but no clear linkage to known clusters.
- The campaign demonstrates a broader strategy to abuse PBX/VOIP software for supply-chain compromise and subsequent data exfiltration across Windows and macOS environments.
MITRE Techniques
- [T1055] Process Injection β The shellcode reflectively loads a DLL, removing the βMZβ at the start. β[The shellcode reflectively loads a DLL, removing the βMZβ at the start.]β
- [T1105] Ingress Tool Transfer β The malware downloads icon files from a dedicated Github repository. β[downloading icon files from a dedicated Github repository: β¦]β
- [T1140] Deobfuscate/Decode Files or Information β ICO files are appended with base64 data and decoded to obtain a C2 URL. β[ICO files are appended with a chunk of base64 encoded data after a β$β character. The malware searches for the β$β and extracts the remaining bytes from the ICO file. These bytes are decoded and decrypted, yielding a C&C URL.]β
- [T1071.001] Web Protocols β The main loop builds and encrypts an βinitial-runβ command to the C2 and sends it via HTTP POST. β[The main loop first will build and encrypt an βinitial-runβ command to the C&C. It sends this command via an HTTP POST request.]β
- [T1116] Code Signing β The compromise includes a code signing certificate used to sign the trojanized binaries. β[The compromise includes a code signing certificate used to sign the trojanized binaries.]β
- [T1543.003] Create or Modify System Process: Launch Daemons β macOS persistence via Launch Daemons for the POOLRAT backdoor. β[Launch Daemons as a persistence mechanism.]β
- [T1082] System Information Discovery β The Windows infostealer collects computer name, domain, and OS version information. β[NetWkstaGetInfo to obtain the computer name and domain name. It calls RtlGetVersion to obtain the Windows version.]β
Indicators of Compromise
- [URL] IoC context β github.com/IconStorages/images, https://www.3cx.com/blog/event-trainings/
- [Email] IoC context β [email protected], [email protected]
- [SHA-1] IoC context β cad1120d91b812acafef7175f949dd1b09c6c21a, bf939c9c261d27ee7bb92325cc588624fca75429
- [URI] IoC context β https://azureonlinestorage.com/azure/storage, https://pbxsources.com/exchange
- [URL] IoC context β https://msedgepackageinfo.com/microsoft-edge, https://glcloudservice.com/v1/console
- [URI] IoC context β https://pbxsources.com/exchange, https://msstorageazure.com/window
- [File Path] IoC context β ~/Library/Application Support/3CXDesktop App/.main_storage, ~/Library/Application Support/3CXDesktop App/UpdateAgent
macOS Indicators of Compromise
1st Stage β libffmpeg.dylib
137b311737bcba57782a167a8f7cea0872ba7316
2c69d27fadf6244a80449579ab5ce450c0920678
354251ca9476549c391fbd5b87e81a21a95949f4
5b0582632975d230c8f73c768b9ef39669fefa60
6723ee0f25d401154756ffd99f4d27c6a6819b87
769383fc65d1386dd141c960c9970114547da0c2
b2a89eebb5be61939f5458a024c929b169b4dc85
e53e6b08fca672119581c1974e6ba391eed9c010
2nd Stage β UpdateAgent
9e9a5f8d86356796162cee881c843cde9eaedfb3
2nd Stage β URI
https://sbmsa.wiki/blog/_insert
File Paths
~/Library/Application Support/3CXDesktop App/.main_storage ~/Library/Application Support/3CXDesktop App/UpdateAgent