3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible | Mandiant
Tags
Common Information
| Type | Value |
|---|---|
| UUID | f447fcf3-f1dd-4ddd-8f17-e9eb1e984c03 |
| Fingerprint | ed1f9d51ccb68ca1 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | April 20, 2023, midnight |
| Added to db | Nov. 6, 2023, 6:52 p.m. |
| Last updated | Nov. 17, 2024, 6:56 p.m. |
| Headline | 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible |
| Title | 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible | Mandiant |
| Detected Hints/Tags/Attributes | 158/4/72 |
Source URLs
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 330 | ✔ | Threat Intelligence | https://www.mandiant.com/resources/blog/rss.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 30 | cve-2013-3900 |
|
| Details | CVE | 22 | cve-2022-0609 |
|
| Details | Domain | 4 | www.tradingtechnologies.com |
|
| Details | Domain | 41 | journalide.org |
|
| Details | File | 3 | 90p608.exe |
|
| Details | File | 208 | setup.exe |
|
| Details | File | 198 | msmpeng.exe |
|
| Details | File | 7 | 0.reg |
|
| Details | md5 | 1 | ef4ab22e565684424b4142b1294f1f4d |
|
| Details | md5 | 1 | c6441c961dcad0fe127514a918eaabd4 |
|
| Details | md5 | 1 | 19dbffec4e359a198daf4ffca1ab9165 |
|
| Details | md5 | 3 | 451c23709ecd5a8461ad060f6346930c |
|
| Details | Mandiant Security Validation Actions | 1 | A106-319 |
|
| Details | Mandiant Security Validation Actions | 1 | A106-321 |
|
| Details | Mandiant Security Validation Actions | 1 | A106-323 |
|
| Details | Mandiant Security Validation Actions | 1 | A106-324 |
|
| Details | Mandiant Security Validation Actions | 1 | A106-322 |
|
| Details | Mandiant Uncategorized Groups | 59 | UNC4736 |
|
| Details | Mandiant Uncategorized Groups | 5 | UNC3782 |
|
| Details | Mandiant Uncategorized Groups | 5 | UNC4469 |
|
| Details | MITRE ATT&CK Techniques | 145 | T1588 |
|
| Details | MITRE ATT&CK Techniques | 18 | T1588.004 |
|
| Details | MITRE ATT&CK Techniques | 46 | T1608 |
|
| Details | MITRE ATT&CK Techniques | 17 | T1608.003 |
|
| Details | MITRE ATT&CK Techniques | 542 | T1190 |
|
| Details | MITRE ATT&CK Techniques | 52 | T1195 |
|
| Details | MITRE ATT&CK Techniques | 36 | T1195.002 |
|
| Details | MITRE ATT&CK Techniques | 164 | T1574 |
|
| Details | MITRE ATT&CK Techniques | 227 | T1574.002 |
|
| Details | MITRE ATT&CK Techniques | 440 | T1055 |
|
| Details | MITRE ATT&CK Techniques | 627 | T1027 |
|
| Details | MITRE ATT&CK Techniques | 348 | T1036 |
|
| Details | MITRE ATT&CK Techniques | 15 | T1036.001 |
|
| Details | MITRE ATT&CK Techniques | 247 | T1070 |
|
| Details | MITRE ATT&CK Techniques | 92 | T1070.001 |
|
| Details | MITRE ATT&CK Techniques | 297 | T1070.004 |
|
| Details | MITRE ATT&CK Techniques | 550 | T1112 |
|
| Details | MITRE ATT&CK Techniques | 504 | T1140 |
|
| Details | MITRE ATT&CK Techniques | 238 | T1497 |
|
| Details | MITRE ATT&CK Techniques | 97 | T1497.001 |
|
| Details | MITRE ATT&CK Techniques | 91 | T1620 |
|
| Details | MITRE ATT&CK Techniques | 52 | T1622 |
|
| Details | MITRE ATT&CK Techniques | 501 | T1012 |
|
| Details | MITRE ATT&CK Techniques | 1006 | T1082 |
|
| Details | MITRE ATT&CK Techniques | 585 | T1083 |
|
| Details | MITRE ATT&CK Techniques | 50 | T1614 |
|
| Details | MITRE ATT&CK Techniques | 33 | T1614.001 |
|
| Details | MITRE ATT&CK Techniques | 444 | T1071 |
|
| Details | MITRE ATT&CK Techniques | 442 | T1071.001 |
|
| Details | MITRE ATT&CK Techniques | 52 | T1071.004 |
|
| Details | MITRE ATT&CK Techniques | 492 | T1105 |
|
| Details | MITRE ATT&CK Techniques | 163 | T1573 |
|
| Details | MITRE ATT&CK Techniques | 74 | T1573.002 |
|
| Details | MITRE ATT&CK Techniques | 33 | T1565 |
|
| Details | MITRE ATT&CK Techniques | 13 | T1565.001 |
|
| Details | Threat Actor Identifier - APT | 115 | APT43 |
|
| Details | Yara rule | 1 | rule M_Hunting_3CXDesktopApp_Key {
meta:
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
description = "Detects a key found in a malicious 3CXDesktopApp file"
md5 = "74bc2d0b6680faa1a5a76b27e5479cbc"
date = "2023/03/29"
version = "1"
strings:
$key = "3jB(2bsG#@c7" ascii wide
condition:
$key
} |
|
| Details | Yara rule | 1 | rule M_Hunting_3CXDesktopApp_Export {
meta:
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
description = "Detects an export used in 3CXDesktopApp malware"
md5 = "7faea2b01796b80d180399040bb69835"
date = "2023/03/31"
version = "1"
strings:
$str1 = "DllGetClassObject" ascii wide
$str2 = "3CXDesktopApp" ascii wide
condition:
all of ($str*)
} |
|
| Details | Yara rule | 1 | rule TAXHAUL {
meta:
author = "Mandiant"
created = "04/03/2023"
modified = "04/03/2023"
version = "1.0"
strings:
$p00_0 = { 41 0F 45 FE 4C 8D 3D [4] EB ?? 45 33 F6 4C 8D 3D [4] EB ?? 45 33 F6 4C 8D 3D [4] EB }
$p00_1 = { 4D 39 26 48 8B 01 40 0F 94 C6 FF 90 [4] 41 B9 [4] EB ?? 8B DE 48 85 C0 74 }
condition:
uint16(0) == 0x5A4D and any of them
} |
|
| Details | Yara rule | 1 | rule M_Hunting_MSI_Installer_3CX_1 {
meta:
author = "Mandiant"
md5 = "0eeb1c0133eb4d571178b2d9d14ce3e9, f3d4144860ca10ba60f7ef4d176cc736"
strings:
$ss1 = { 20 00 5F 64 33 64 63 6F 6D 70 69 6C 65 72 5F 34 37 2E 64 6C 6C 5F }
$ss2 = { 20 00 5F 33 43 58 44 65 73 6B 74 6F 70 41 70 70 2E }
$ss3 = { 20 00 5F 66 66 6D 70 65 67 2E 64 6C 6C 5F }
$ss4 = "3CX Ltd1"
$sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 }
$sc2 = "202303"
condition:
(uint32(0) == 0xE011CFD0) and filesize > 90MB and filesize < 105MB and all of them
} |
|
| Details | Yara rule | 1 | rule M_Hunting_TAXHAUL_Hash_1 {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
description = "Rule looks for hardcoded value used in string hashing algorithm observed in instances of TAXHAUL."
md5 = "e424f4e52d21c3da1b08394b42bc0829"
strings:
$c_x64 = { 25 A3 87 DE [4-20] 25 A3 87 DE [4-20] 25 A3 87 DE }
condition:
filesize < 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and any of them
} |
|
| Details | Yara rule | 1 | rule M_Hunting_SigFlip_SigLoader_Native {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
description = "Rule looks for strings present in SigLoader (Native)"
md5 = "a3ccc48db9eabfed7245ad6e3a5b203f"
strings:
$s1 = "[*]: Basic Loader..." ascii wide
$s2 = "[!]: Missing PE path or Encryption Key..." ascii wide
$s3 = "[!]: Usage: %s <PE_PATH> <Encryption_Key>" ascii wide
$s4 = "[*]: Loading/Parsing PE File '%s'" ascii wide
$s5 = "[!]: Could not read file %s" ascii wide
$s6 = "[!]: '%s' is not a valid PE file" ascii wide
$s7 = "[+]: Certificate Table RVA %x" ascii wide
$s8 = "[+]: Certificate Table Size %d" ascii wide
$s9 = "[*]: Tag Found 0x%x%x%x%x" ascii wide
$s10 = "[!]: Could not locate data/shellcode" ascii wide
$s11 = "[+]: Encrypted/Decrypted Data Size %d" ascii wide
condition:
filesize < 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and 4 of ($s*)
} |
|
| Details | Yara rule | 1 | rule M_Hunting_Raw64_DAVESHELL_Bootstrap {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
description = "Rule looks for bootstrap shellcode (64 bit) present in DAVESHELL"
md5 = "8a34adda5b981498234be921f86dfb27"
strings:
$b6ba50888f08e4f39b43ef67da27521dcfc61f1e = { E8 00 00 00 00 59 49 89 C8 48 81 C1 ?? ?? ?? ?? BA ?? ?? ?? ?? 49 81 C0 ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? 56 48 89 E6 48 83 E4 F0 48 83 EC 30 C7 44 24 20 ?? ?? ?? ?? E8 ?? 00 00 00 48 89 F4 5E C3 }
$e32abbe82e1f957fb058c3770375da3bf71a8cab = { E8 00 00 00 00 59 49 89 C8 BA ?? ?? ?? ?? 49 81 C0 ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? 56 48 89 E6 48 83 E4 F0 48 83 EC 30 48 89 4C 24 28 48 81 C1 ?? ?? ?? ?? C7 44 24 20 ?? ?? ?? ?? E8 ?? 00 00 00 48 89 F4 5E C3 }
condition:
filesize < 15MB and any of them
} |
|
| Details | Yara rule | 1 | rule M_Hunting_MSI_Installer_3CX_1 {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
description = "This rule looks for hardcoded values within the MSI installer observed in strings and signing certificate"
md5 = "0eeb1c0133eb4d571178b2d9d14ce3e9"
strings:
$ss1 = { 20 00 5F 64 33 64 63 6F 6D 70 69 6C 65 72 5F 34 37 2E 64 6C 6C 5F }
$ss2 = { 20 00 5F 33 43 58 44 65 73 6B 74 6F 70 41 70 70 2E }
$ss3 = { 20 00 5F 66 66 6D 70 65 67 2E 64 6C 6C 5F }
$ss4 = "3CX Ltd1"
$sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 }
$sc2 = "202303"
condition:
(uint32(0) == 0xE011CFD0) and filesize > 90MB and filesize < 100MB and all of them
} |
|
| Details | Yara rule | 1 | rule M_Hunting_VEILEDSIGNAL_1 {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
md5 = "404b09def6054a281b41d309d809a428, c6441c961dcad0fe127514a918eaabd4"
strings:
$rh1 = { 68 5D 7A D2 2C 3C 14 81 2C 3C 14 81 2C 3C 14 81 77 54 10 80 26 3C 14 81 77 54 17 80 29 3C 14 81 77 54 11 80 AB 3C 14 81 D4 4C 11 80 33 3C 14 81 D4 4C 10 80 22 3C 14 81 D4 4C 17 80 25 3C 14 81 77 54 15 80 27 3C 14 81 2C 3C 15 81 4B 3C 14 81 94 4D 1D 80 28 3C 14 81 94 4D 14 80 2D 3C 14 81 94 4D 16 80 2D 3C 14 81 }
$rh2 = { 00 E5 A0 2B 44 84 CE 78 44 84 CE 78 44 84 CE 78 1F EC CA 79 49 84 CE 78 1F EC CD 79 41 84 CE 78 1F EC CB 79 C8 84 CE 78 BC F4 CA 79 4A 84 CE 78 BC F4 CD 79 4D 84 CE 78 BC F4 CB 79 65 84 CE 78 1F EC CF 79 43 84 CE 78 44 84 CF 78 22 84 CE 78 FC F5 C7 79 42 84 CE 78 FC F5 CE 79 45 84 CE 78 FC F5 CC 79 45 84 CE 78 }
$rh3 = { DA D2 21 22 9E B3 4F 71 9E B3 4F 71 9E B3 4F 71 C5 DB 4C 70 94 B3 4F 71 C5 DB 4A 70 15 B3 4F 71 C5 DB 4B 70 8C B3 4F 71 66 C3 4B 70 8C B3 4F 71 66 C3 4C 70 8F B3 4F 71 C5 DB 49 70 9F B3 4F 71 66 C3 4A 70 B0 B3 4F 71 C5 DB 4E 70 97 B3 4F 71 9E B3 4E 71 F9 B3 4F 71 26 C2 46 70 9F B3 4F 71 26 C2 B0 71 9F B3 4F 71 9E B3 D8 71 9F B3 4F 71 26 C2 4D 70 9F B3 4F 71 }
$rh4 = { CB 8A 35 66 8F EB 5B 35 8F EB 5B 35 8F EB 5B 35 D4 83 5F 34 85 EB 5B 35 D4 83 58 34 8A EB 5B 35 D4 83 5E 34 09 EB 5B 35 77 9B 5E 34 92 EB 5B 35 77 9B 5F 34 81 EB 5B 35 77 9B 58 34 86 EB 5B 35 D4 83 5A 34 8C EB 5B 35 8F EB 5A 35 D3 EB 5B 35 37 9A 52 34 8C EB 5B 35 37 9A 58 34 8E EB 5B 35 37 9A 5B 34 8E EB 5B 35 37 9A 59 34 8E EB 5B 35 }
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 1 of ($rh*)
} |
|
| Details | Yara rule | 1 | rule M_Hunting_VEILEDSIGNAL_2 {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
md5 = "404b09def6054a281b41d309d809a428"
strings:
$sb1 = { C1 E0 05 4D 8? [2] 33 D0 45 69 C0 7D 50 BF 12 8B C2 41 FF C2 C1 E8 07 33 D0 8B C2 C1 E0 16 41 81 C0 87 D6 12 00 }
$si1 = "CryptBinaryToStringA" fullword
$si2 = "BCryptGenerateSymmetricKey" fullword
$si3 = "CreateThread" fullword
$ss1 = "ChainingModeGCM" wide
$ss2 = "__tutma" fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C) + 0x18) == 0x020B) and all of them
} |
|
| Details | Yara rule | 1 | rule M_Hunting_VEILEDSIGNAL_3 {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
md5 = "c6441c961dcad0fe127514a918eaabd4"
strings:
$ss1 = { 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6A 73 6F 6E 2C 20 74 65 78 74 2F 6A 61 76 61 73 63 72 69 70 74 2C 20 2A 2F 2A 3B 20 71 3D 30 2E 30 31 00 00 61 63 63 65 70 74 00 00 65 6E 2D 55 53 2C 65 6E 3B 71 3D 30 2E 39 00 00 61 63 63 65 70 74 2D 6C 61 6E 67 75 61 67 65 00 63 6F 6F 6B 69 65 00 00 }
$si1 = "HttpSendRequestW" fullword
$si2 = "CreateNamedPipeW" fullword
$si3 = "CreateThread" fullword
$se1 = "DllGetClassObject" fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C) + 0x18) == 0x020B) and all of them
} |
|
| Details | Yara rule | 1 | rule M_Hunting_VEILEDSIGNAL_4 {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
md5 = "404b09def6054a281b41d309d809a428, c6441c961dcad0fe127514a918eaabd4"
strings:
$sb1 = { FF 15 FC 76 01 00 8B F0 85 C0 74 ?? 8D 50 01 [6-16] FF 15 [4] 48 8B D8 48 85 C0 74 ?? 89 ?? 24 28 44 8B CD 4C 8B C? 48 89 44 24 20 }
$sb2 = { 33 D2 33 C9 FF 15 [4] 4C 8B CB 4C 89 74 24 28 4C 8D 05 [2] FF FF 44 89 74 24 20 33 D2 33 C9 FF 15 }
$si1 = "CreateThread" fullword
$si2 = "MultiByteToWideChar" fullword
$si3 = "LocalAlloc" fullword
$se1 = "DllGetClassObject" fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C) + 0x18) == 0x020B) and all of them
} |
|
| Details | Yara rule | 1 | rule M_Hunting_VEILEDSIGNAL_5 {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
md5 = "6727284586ecf528240be21bb6e97f88"
strings:
$sb1 = { 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D [3] 48 8B CB FF 15 [4] EB }
$ss1 = "chrome.exe" wide fullword
$ss2 = "firefox.exe" wide fullword
$ss3 = "msedge.exe" wide fullword
$ss4 = "\\\\.\\pipe\\*" ascii fullword
$ss5 = "FindFirstFileA" ascii fullword
$ss6 = "Process32FirstW" ascii fullword
$ss7 = "RtlAdjustPrivilege" ascii fullword
$ss8 = "GetCurrentProcess" ascii fullword
$ss9 = "NtWaitForSingleObject" ascii fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C) + 0x18) == 0x020B) and all of them
} |
|
| Details | Yara rule | 1 | rule M_Hunting_VEILEDSIGNAL_6 {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
md5 = "00a43d64f9b5187a1e1f922b99b09b77"
strings:
$ss1 = "C:\\Programdata\\" wide
$ss2 = "devobj.dll" wide fullword
$ss3 = "msvcr100.dll" wide fullword
$ss4 = "TpmVscMgrSvr.exe" wide fullword
$ss5 = "\\Microsoft\\Windows\\TPM" wide fullword
$ss6 = "CreateFileW" ascii fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C) + 0x18) == 0x010B) and all of them
} |
|
| Details | Yara rule | 1 | rule MTI_Hunting_POOLRAT {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
description = "Detects strings found in POOLRAT. "
md5 = "451c23709ecd5a8461ad060f6346930c"
date = "10/28/2020"
version = "1"
strings:
$str1 = "name=\"uid\"%s%s%u%s" ascii wide
$str2 = "name=\"session\"%s%s%u%s" ascii wide
$str3 = "name=\"action\"%s%s%s%s" ascii wide
$str4 = "name=\"token\"%s%s%u%s" ascii wide
$boundary = "--N9dLfqxHNUUw8qaUPqggVTpX-" ascii wide nocase
condition:
any of ($str*) or $boundary
} |
|
| Details | Yara rule | 1 | rule M_Hunting_FASTREVERSEPROXY {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
md5 = "19dbffec4e359a198daf4ffca1ab9165"
strings:
$ss1 = "Go build ID:" fullword
$ss2 = "Go buildinf:" fullword
$ss3 = "net/http/httputil.(*ReverseProxy)."
$ss4 = "github.com/fatedier/frp/client"
$ss5 = "\"server_port\""
$ss6 = "github.com/armon/go-socks5.proxy"
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them
} |