On March 29, 2023, CrowdStrike announced that a threat group based in North Korea launched a supply chain attack through 3CX DesktopApp.  With this app, the threat actor installed an Infostealer in the target system.
AhnLab Security Emergency response Center (ASEC) previously announced a 3CX DesktopApp supply chain attack in the following blog post alongside mitigation measures.  This post will provide an analysis of the malware used in the attacks and logs of their infection in Korea collected via AhnLab Smart Defense (ASD).
Logs Recorded in Korea
Below are logs recorded in AhnLab’s ASD before the supply chain attack became known. An installation log of 3CX Electron Windows App version 18.12.407 was recorded on March 9, and an installation log of version 18.12.416 was recorded on March 15. The target was identified to be a university in Korea.
The threat actor targeted Windows and MAC users. For this, they inserted malware into the 3CX DesktopApp installation file for Windows and MAC. When a user installs the installation file, the malware that was encoded and saved inside the file operates in the memory and installs additional malware.
An MSI installer is the installation file for Windows, and the files “ffmpeg.dll” and “d3dcompiler_47.dll” inside are the actual malware. “3CXDesktopApp.exe”, which is executed after installation, loads the file “ffmpeg.dll” in the same directory. “Ffmpeg.dll” is disguised as a normal file but is actually a loader responsible for reading and decrypting “d3dcompiler_47.dll” before executing it in the memory. “d3dcompiler_47.dll” is also a normal file, but it contains encoded data at the end.
Figure 2. Flow chart
“Ffmpeg.dll” looks for the signature “FE ED FA CE FE ED FA CE” in “d3dcompiler_47.dll”, which contains encoded data. When the encoded data is decrypted, a shell code can be found, which executes a downloader in the memory.
Figure 3. Encoded data inserted into d3dcompiler_47.dll
The downloader downloads an ico file from a GitHub address. The URL is as follows, and a random file from icon1.ico to icon15.ico is selected and used.
- Download URL: hxxps://raw.githubusercontent[.]com/IconStorages/images/main/icon[숫자].ico
At the time of analysis, these files could not be downloaded, but the ico files known to have been used in the attacks are as follows.
The actual C&C server addresses are encoded at the end of these ico files, and decrypting these reveals the actual C&C server addresses. The downloader looks for the signature “$” at the end of the downloaded ico file before finding and decrypting the encoded string
Figure 5. Encoded data inserted at the end of the ico file
Figure 6. Decrypted C&C address
Aside from “icon0.ico” which contains a normal URL and considering the fact that “icon10.ico” and “icon11.ico” are the same, there are a total of 14 C&C server addresses among the 16 ico files. The downloader can connect to the decrypted address and download and execute additional malware. It is known to have installed an Infostealer this way. 
For MAC environments, the threat actor inserted the malware into a DMG installation file. Out of the shared library files within the installation file, libffmpeg.dylib contains an XOR-encoded C&C address.
Most of the identified C&C addresses are the same as those found in the Windows version.
Product versions used in the attacks and solutions can be viewed in the following blog post.
– Dropper/MSI.Agent (2023.03.31.00)
– Trojan/Win.Loader.C5403102 (2023.03.31.00)
– Trojan/Win.Agent.C5403110 (2023.03.31.00)
– Trojan/Win.Loader.C5403103 (2023.03.31.00)
– Data/BIN.Encoded (2023.04.03.03)
– Infostealer/Win.Agent.C5403954 (2023.04.02.00)
– Data/BIN.Encoded (2023.03.31.01)
– Trojan/OSX.Agent (2023.03.31.01)
– Trojan/OSX.Loader (2023.04.03.03)
– 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983 – MSI
– aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868 – MSI
– 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896 – ffmpeg.dll
– c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02 – ffmpeg.dll
– 11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03 – d3dcompiler.dll
– aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973 – Downloader
– 8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423 – InfoStealer
– 5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290 – DMG
– e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec – DMG
– fee4f9dabc094df24d83ec1a8c4e4ff573e5d9973caa676f58086c99561382d7 – libffmpeg.dylib
– a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67 – libffmpeg.dylib
– 5009c7d1590c1f8c05827122172583ddf924c53b55a46826abf66da46725505a – libffmpeg.dylib
– 87c5d0c93b80acf61d24e7aaf0faae231ab507ca45483ad3d441b5d1acebc43c – libffmpeg.dylib
C&C Addresses – Windows
C&C Addresses – MAC
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
[…] post 3CX DesktopApp Supply Chain Attack Also Detected in Korea appeared first on ASEC […]
[…] chain of attackbased on analyzes of multiple security vendors, behaved the use of DLL sideloading techniques to load an information stealer known as the ICONIC Stealer, […]
[…] attack chain, based on analyses from multiple security vendors, entailed the use of DLL side-loading techniques to load an information stealer known as ICONIC Stealer, […]
[…] 그룹은 초기 침투를 위해 Log4Shell, 공동 인증서 취약점, 3CX 공급망 공격 등 다양한 공격 벡터를 사용하며 매우 위협적이고 전 세계적으로 활발하게 […]
[…] to perform their initial breach, including Log4Shell, public certificate vulnerability, 3CX supply chain attack, etc.” concludes the report that also provides Indicators of Compromise (IoCs). “since the […]