3CX Supply Chain Lab
CyberDefenders Threat Intel Lab
Scenario
A large multinational corporation heavily relies on the 3CX software for phone communication, making it a critical component of their business operations. After a recent update to the 3CX Desktop App, antivirus alerts flag sporadic instances of the software being wiped from some workstations while others remain unaffected. Dismissing this as a false positive, the IT team overlooks the alerts, only to notice degraded performance and strange network traffic to unknown servers. Employees report issues with the 3CX app, and the IT security team identifies unusual communication patterns linked to recent software updates.
As the threat intelligence analyst, it’s your responsibility to examine this possible supply chain attack. Your objectives are to uncover how the attackers compromised the 3CX app, identify the potential threat actor involved, and assess the overall extent of the incident.
Question 1
Understanding the scope of the attack and identifying which versions exhibit malicious behavior is crucial for making informed decisions if these compromised versions are present in the organization. How many versions of 3CX running on Windows have been flagged as malware?
Answer 1
Looking through a few reports on security vendor websites, I was able to track down the CVE. Which led me to find the 2 versions of 3CX that had been embedded with malicious code.
Press enter or click to view image in full size
Question 2
Determining the age of the malware can help assess the extent of the compromise and track the evolution of malware families and variants. What’s the UTC creation time of the .msi malware?
Answer 2
A virustotal scan of the included file indicated this date and time: 2023–03–13 06:33
Question 3
Executable files (.exe) are frequently used as primary or secondary malware payloads, while dynamic link libraries (.dll) often load malicious code or enhance malware functionality. Analyzing files deposited by the Microsoft Software Installer (.msi) is crucial for identifying malicious files and investigating their full potential. Which malicious DLLs were dropped by the .msi file?
Answer 3
Looking deeper into what the .msi file is bundled with, you can see from the VirusTotal page that 2 .dll files, with high detection rates, are dropped by the malware. ffmpeg.dll and d3dcompiler_47.dll.
Press enter or click to view image in full size
Question 4
Recognizing the persistence techniques used in this incident is essential for current mitigation strategies and future defense improvements. What is the MITRE Technique ID employed by the .msi files to load the malicious DLL?
Answer 4
DLL sideloading as a very common way to gain persistence inside a machine. The MITRE Technique ID for this is: T1574, or T1574.002.
Question 5
Recognizing the malware type (threat category) is essential to your investigation, as it can offer valuable insight into the possible malicious actions you’ll be examining. What is the threat category of the two malicious DLLs?
Answer 5
This malware has all the characteristics of a Trojan. Disguised as a piece of legitimate software, with a signature. Setting up persistence and extracting information from the system.
Question 6
As a threat intelligence analyst conducting dynamic analysis, it’s vital to understand how malware can evade detection in virtualized environments or analysis systems. This knowledge will help you effectively mitigate or address these evasive tactics. What is the MITRE ID for the virtualization/sandbox evasion techniques used by the two malicious DLLs?
Answer 6
A very common practice in highly sophisticated malware strains is to try and evade sandbox/virtualization. Making it harder to analyze.
Press enter or click to view image in full size
Question 7
When conducting malware analysis and reverse engineering, understanding anti-analysis techniques is vital to avoid wasting time. Which hypervisor is targeted by the anti-analysis techniques in the ffmpeg.dll file?
Answer 7
Looking into the VirusTotal page for ffmpeg.dll, it tries to look into the system registry to find VMWare strings to detect and potentially deploy more evasive techniques.
Press enter or click to view image in full size
Question 8
Identifying the cryptographic method used in malware is crucial for understanding the techniques employed to bypass defense mechanisms and execute its functions fully. What encryption algorithm is used by the ffmpeg.dll file?
Answer 8
Press enter or click to view image in full size
As part of the malwares defensive evasion techniques, it encrypts data using RC4. Making it harder to analyze.
Question 9
As an analyst, you’ve recognized some TTPs involved in the incident, but identifying the APT group responsible will help you search for their usual TTPs and uncover other potential malicious activities. Which group is responsible for this attack?
Answer 9
A brief search across a few security vendor websites revealed that a North Korean APT group under a subset of Lazarus, the Labyrinth Chollima, was responsible for the attack.
Press enter or click to view image in full size
Last updated