3 min read

Lazarus Group's Exploitation of 3CXDesktopApp: A Comprehensive Analysis of the March 2023 Supply Chain Attack

CVE Image for report on 3CXDesktopApp Supply Chain Attack

Executive Summary

In March 2023, a sophisticated supply chain attack was identified involving the 3CXDesktopApp, a VoIP phone system developed by 3CX. This attack was attributed to the Lazarus Group, a North Korean state-sponsored Advanced Persistent Threat (APT) group, also known as Hidden Cobra. The attack targeted sectors such as financial services, energy, and healthcare across multiple countries, focusing on espionage and financial gain. The compromise was first detected when users noticed potential false-positive detections of the 3CXDesktopApp by their endpoint security agents.

Technical Information

The attack on the 3CXDesktopApp was a multi-stage operation that began with the execution of a Microsoft Software Installer (MSI) file. This file dropped a compromised DLL named

ffmpeg.dll

alongside the legitimate 3CXDesktopApp, exploiting a technique known as DLL Sideloading. The malicious DLL was used to obtain a unique identifier of the victim by accessing the registry key

MachineGuid

located in

HKLM\SOFTWARE\Microsoft\Cryptography

. This identifier was then used to register the victim in the adversary’s infrastructure via an HTTP POST request.

The second stage of the attack involved downloading and executing an infostealer using the Reflective DLL Injection technique, which loads code into the process's own memory. The malware sought to obtain system and browser information through API calls and file collection. The third stage employed DLL Search Order Hijacking to execute a DLL, aiming to load and execute the main module of the Gopuram backdoor using Reflective DLL Injection. The backdoor capabilities included discovering connections to other hosts, scanning the system registry, creating new services, listing active processes, discovering users and permissions, and using Timestomping to modify file timestamps.

The attack leveraged several MITRE ATT&CK techniques, including Ingress Tool Transfer (T1105), Hijack Execution Flow: DLL Side-Loading (T1547.002), Query Registry (T1012), Application Layer Protocol: Web Protocols (T1071.001), Reflective DLL Injection (T1620), System Information Discovery (T1082), DLL Search Order Hijacking (T1574.001), Internet Connection Discovery (T1016.001), Create or Modify System Process: Windows Service (T1543.003), Process Discovery (T1057), Account Discovery: Local Account (T1087.001), System Network Connections Discovery (T1049), Permission Groups Discovery: Local Groups (T1069.001), Process Injection (T1055), and Indicator Removal: Timestomp (T1070.006).

Exploitation in the Wild

The Lazarus Group's exploitation of the 3CXDesktopApp involved specific usage of the compromised binary to beacon information to adversary-controlled infrastructure, deploy second-stage payloads, and in some cases, engage in hands-on keyboard activity. Indicators of Compromise (IOCs) included the presence of the

ffmpeg.dll

file and network traffic to known command and control (C2) servers.

APT Groups using this vulnerability

The Lazarus Group, attributed to the North Korean government, is the primary APT group exploiting this vulnerability. Known for their sophisticated cyber operations, they have targeted various sectors, including financial services, energy, and healthcare, across multiple countries.

Affected Product Versions

The affected software was 3CX DesktopApp version 18.12.416 and earlier. These versions contained malicious code that ran a downloader, SUDDENICON, which in turn received additional command and control (C2) servers from encrypted icon files hosted on GitHub.

Workaround and Mitigation

To mitigate the risks associated with this attack, organizations should monitor for newly constructed processes and DLL/PE file events to detect DLL Side-Loading. Application Developer Guidance (M1013) and Update Software (M1051) are recommended mitigation strategies. For Reflective DLL Injection, monitoring code artifacts associated with reflective loading is crucial, although preventive controls are challenging due to system feature abuse. To counter DLL Search Order Hijacking, organizations should audit (M1047), implement Execution Prevention (M1038), and restrict library loading (M1044).

References

For further reading and detailed analysis, please refer to the following resources: AttackIQ's response to the Lazarus' 3CX Supply Chain Compromise at https://www.attackiq.com/2023/04/14/response-to-lazarus-3cx-supply-chain-compromise/, Google Cloud Blog's coverage of the 3CX Software Supply Chain Compromise at https://cloud.google.com/blog/topics/threat-intelligence/3cx-software-supply-chain-compromise, and reports from CrowdStrike, SecureList, Qualys, and Sophos on the 3CX supply chain attack.

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to provide comprehensive threat intelligence and proactive defense strategies. We are here to assist you in understanding and mitigating risks associated with vulnerabilities like the 3CX supply chain compromise. Should you have any questions or require further assistance, please do not hesitate to contact us at ops@rescana.com.