3CX Supply Chain — Threat Intel Lab Writeup
Overview
This writeup documents my approach to the lab 3CX Supply Chain Lab available on the CyberDefenders website, a blue team-focused cyber threat intelligence lab that requires you to examine a potential supply chain attack.
Disclaimer
I like to add a brief disclaimer before a writeup to encourage people to attempt the lab before reading this article, since there will obviously be spoilers in this writeup. I believe you will enjoy the lab more if you attempt it yourself first and then come back to this writeup if you get stuck or need a hint. So without any further delay, lets get started!
Scenario
A large multinational corporation heavily relies on the 3CX software for phone communication, making it a critical component of their business operations. After a recent update to the 3CX Desktop App, antivirus alerts flag sporadic instances of the software being wiped from some workstations while others remain unaffected. Dismissing this as a false positive, the IT team overlooks the alerts, only to notice degraded performance and strange network traffic to unknown servers. Employees report issues with the 3CX app, and the IT security team identifies unusual communication patterns linked to recent software updates.
As the threat intelligence analyst, it’s your responsibility to examine this possible supply chain attack. Your objectives are to uncover how the attackers compromised the 3CX app, identify the potential threat actor involved, and assess the overall extent of the incident.
Lab Analysis
Understanding the scope of the attack and identifying which versions exhibit malicious behavior is crucial for making informed decisions if these compromised versions are present in the organization. How many versions of 3CX running on Windows have been flagged as malware?
In late March, 2023, a software supply chain compromise spread malware via a trojanized version of 3CX’s legitimate software that was available to download from their website. 3CX Desktop App is enterprise software that provides communications for its users including chat, video calls, and voice calls. This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack. According to Huntress and 3CX’s released notifications, the currently known affected 3CX DesktopApp versions are:
18.12.407
18.12Determining the age of the malware can help assess the extent of the compromise and track the evolution of malware families and variants. What’s the UTC creation time of the .msi malware?
Decompressing the provided lab ZIP archive provides a single file:
3CXDesktopApp-18.12.416.msi
SHA256: 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983Uploading the MSI file to VirusTotal shows the file has been flagged as malicious by the community.
VirusTotal provides the history of the MSI file under the details tab, including the Creation Time.
Executable files (.exe) are frequently used as primary or secondary malware payloads, while dynamic link libraries (.dll) often load malicious code or enhance malware functionality. Analyzing files deposited by the Microsoft Software Installer (.msi) is crucial for identifying malicious files and investigating their full potential. Which malicious DLLs were dropped by the .msi file?
Reading a threat intelligence article published by Google, Mandiant Consulting identified an installer, which contained and executed a file titled “setup.exe”. This executable drops two trojanized DLLs and a benign executable. In VirusTotal, we can see under the relations tab two bundled DLL files.
A threat brief published by PaloAlto Unit 42 also identifies the DLL files.
ffmpeg.dll
d3dcompiler_47.dllThe “ffmpeg.dll” library reads in a second extracted library with a file name of “d3dcompiler_47.dll”, decrypts a portion of it using RC4 and a key of “3jB(2bsG#@c7”, and runs the decrypted contents as shellcode.
Recognizing the persistence techniques used in this incident is essential for current mitigation strategies and future defense improvements. What is the MITRE sub-technique ID employed by the .msi files to load the malicious DLL?
In the threat intelligence article published by Google, “Setup.exe” uses a benign executable to side-load one of the malicious DLLs. Side-loading relies on legitimate Windows executables to load and execute a malicious file that has been disguised as a legitimate dependency. This technique is also documented under the MITRE ATT&CK Framework as Hijack Execution Flow: DLL Side-Loading [T1574.002].
Recognizing the malware type (threat category) is essential to your investigation, as it can offer valuable insight into the possible malicious actions you'll be examining. What is the threat category of the two malicious DLLs?
Pivoting on the DLL files in VirusTotal, we can see the threat category for both “ffmpeg.dll” and “d3dcompiler_47.dll”.
As a threat intelligence analyst conducting dynamic analysis, it’s vital to understand how malware can evade detection in virtualized environments or analysis systems. This knowledge will help you effectively mitigate or address these evasive tactics. What is the MITRE ID for the virtualization/sandbox evasion techniques used by the two malicious DLLs?
In VirusTotal, a comprehensive list of MITRE ATT&CK Tactics and Techniques are provided for both DLL files, including defense evasion techniques such as virtualization/sandbox evasion.
When conducting malware analysis and reverse engineering, understanding anti-analysis techniques is vital to avoid wasting time. Which hypervisor is targeted by the anti-analysis techniques in the ffmpeg.dll file?
Referring to the screenshot in the previous question, we can observe that the DLL file “ffmpeg.dll” references anti-VM strings that target VMWare.
Identifying the cryptographic method used in malware is crucial for understanding the techniques employed to bypass defense mechanisms and execute its functions fully. What encryption algorithm is used by the ffmpeg.dll file?
In a threat brief published by PaloAlto Unit 42 referenced earlier in this writeup, we read that the “ffmpeg.dll” library reads in the second extracted DDL “d3dcompiler_47.dll” and decrypts a portion of it using the RC4 encryption algorithm.
As an analyst, you’ve recognized some TTPs involved in the incident, but identifying the APT group responsible will help you search for their usual TTPs and uncover other potential malicious activities. Which group is responsible for this attack?
In previously mentioned threat intelligence reports, it is stated that the threat actor group related to 3CX Software Supply Chain Compromise is a suspected North Korean nexus cluster of activity. In an article by Qualys, The North Korean state-sponsored group Labyrinth Chollima were identified as the perpetrators behind the supply chain compromise of 3CXDesktopApp beta 18.12.407 and final 18.12.416 applications.
Additionally, MITRE associates this group to the Lazarus Group. North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups
Conclusion
I really enjoyed working through this lab and learning more about the 3CX Software Supply Chain Compromise. Thank you for reading till the end and stay curious!
