Tracking 3CX Supply Chain Breach Cases using AhnLab EDR
Last March, 3CX supply chain breach cases were a global issue. AhnLab Security Emergency response Center (ASEC) has confirmed through the AhnLab Smart Defense (ASD) infrastructure that malware related to the 3CX supply chain were installed in Korea on March 9th and March 15th.
The 3CX supply chain malware confirmed in this instance had loaded malicious DLLs disguised with the names of regular DLLs, ffmpeg.dll and d3dcompiler_47.dll, on the normal 3CXDesktopApp.exe process, allowing for malicious behavior to be carried out. Ultimately, a downloader shellcode was executed on the memory of the 3CXDesktopApp.exe process. No additional malware downloads were found upon analysis at that time. However, it was confirmed that a data-leaking malware had been executed.
AhnLab Endpoint Detection and Response (EDR) is capable of detecting attack techniques used by threat actors to attack 3CX supply chains, and it allows users to check the data required to investigate the related breach case.
Figure 3 is the process tree that is displayed on AhnLab EDR of a 3CX supply chain attack.
ffmpeg.dll is a DLL imported by 3CXDesktopApp.exe. (Refer to Figure 4) Therefore, when 3CXDesktopApp.exe is executed, the ffmpeg.dll that exists in the same folder path is loaded on the memory of the 3CXDesktopApp.exe process.
As shown in the below Figure 5, the loaded ffmpeg.dll reads the d3dcompiler_47.dll that was installed with 3CXDesktopApp.exe, and RC4 decrypts the encrypted shellcode to execute it on the memory.
AhnLab EDR is capable of detecting these abnormal shellcode execution methods. The below Figure 6 is the detection screen that can be found on the [Threats] – [Timeline] tab on the console screen.
If the threat actor’s shellcode is executed, it downloads and executes additional malware from a Github page where a payload has been uploaded. EDR saves the information of download URLs accessed by 3CXDesktopApp.exe, which allows EDR managers to look up information on malware distribution sites in the [Threats] – [Diagram] tab within the EDR console.
AhnLab V3 and EDR products detect this 3CX supply chain threat with the aliases below.
[File Detection]
Dropper/MSI.Agent
Trojan/Win.Loader.C5403102
Trojan/Win.Agent.C5403110
Trojan/Win.Loader.C5403103
Infostealer/Win.Agent.C5403954
Trojan/BIN.Agent
Data/BIN.Encoded
Trojan/OSX.Agent
Trojan/OSX.Loader
[Behavior Detection]
[V3]
Connection/MDP.Event.M4581
Connection/MDP.Event.M11026
Exploit/MDP.Event.M11027
[EDR]
Fileless/EDR.Event.M11072
The MITRE ATT&CK mapping related to this 3CX supply chain threat is as follows.
– T1574.002 : Hijack Execution Flow: DLL Side-Loading
– T1012 : Query Registry
– T1071.001 : Application Layer Protocol: Web Protocols
.
To learn more about AhnLab EDR's advanced behavior-based detection and reponse, please click the banner below
