9/25/2023 0 Comments Signal app compromisedico payload from GitHub file storage at https///IconStorages/images/main/ - though, again, once news of the compromise spread widely, this repository was taken down. The file ffmpeg.dll contains an embedded URL which is used to retrieve a malicious encoded. d3dcompiler_47.dll, a DLL with an appended encrypted payloadįigure 2 presents a high-level look at the attack flow as it works in Windows there are some minor variations in the later steps with the MacOS version.įigure 2: A high-level view of the attack flow.We have identified three crucial components: This is likely to ensure that customers were able to use the 3CX desktop package without noticing anything unusual about the affected package. The attack revolves around a DLL sideloading scenario, one with a remarkable number of components involved. This repository has been in use since Decemafter news of the compromise spread widely on March 29, the repository was taken down. Additionally, Sophos MDR has observed the campaign leveraging a public file storage to host encoded malware. Sophos MDR first identified malicious activity directed at its own customers and stemming from 3CXDesktopApp on March 29, 2023. On March 22, users of 3CX began discussion of potential false-positive detections of 3CXDesktopApp by their endpoint security agents.įigure 1: The update process at the moment the malicious version drops NIST tracks this issue as CVE-2023-29059. According to information on their support forum, Android and iOS versions of the software are not believed to be affected. At this writing, 3CX has deprecated the affected versions of the Windows application.Īt present, the only platforms confirmed by our customer data to be affected are Windows and MacOS, which is in agreement with 3CX’s information on affected platforms. The most common post-exploitation event we have observed to date is the presence of an infostealer that targets the browser(s) on a compromised system. The software is a digitally signed version of the softphone desktop client for both Windows and MacOS, which includes a malicious payload. Some Windows and MacOS versions of the application have been abused by the threat actor to add an installer that communicates with various command-and-control (C2) servers. The affected software is 3CX – a legitimate software-based PBX phone system available on Windows, MacOS, Linux, Android, and iOS. Overview We will update this page as events and understanding develop, including our threat and detection guidance. This page provides an overview of the situation, a threat analysis, information for hunters, and information on detection protection. Sophos X-Ops is tracking a developing situation concerning a seeming supply-chain attack, possibly undertaken by a nation-state-related group.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |