Show in Graph
Common Information
Type Value
Value 
rule M_Hunting_MSI_Installer_3CX_1 {
	meta:
		author = "Mandiant"
		disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
		description = "This rule looks for hardcoded values within the MSI installer observed in strings and signing certificate"
		md5 = "0eeb1c0133eb4d571178b2d9d14ce3e9"
	strings:
		$ss1 = { 20 00 5F 64 33 64 63 6F 6D 70 69 6C 65 72 5F 34 37 2E 64 6C 6C 5F }
		$ss2 = { 20 00 5F 33 43 58 44 65 73 6B 74 6F 70 41 70 70 2E }
		$ss3 = { 20 00 5F 66 66 6D 70 65 67 2E 64 6C 6C 5F }
		$ss4 = "3CX Ltd1"
		$sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 }
		$sc2 = "202303"
	condition:
		(uint32(0) == 0xE011CFD0) and filesize > 90MB and filesize < 100MB and all of them
}
Category
Type Yara Rule
Misp Type
Description
Details Published Attributes CTI Title
Details Website 2023-04-20 72 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible | Mandiant