[Threat Intel] 3CX Supply Chain Lab

Scenario

A large multinational corporation heavily relies on the 3CX software for phone communication, making it a critical component of their business operations. After a recent update to the 3CX Desktop App, antivirus alerts flag sporadic instances of the software being wiped from some workstations while others remain unaffected. Dismissing this as a false positive, the IT team overlooks the alerts, only to notice degraded performance and strange network traffic to unknown servers. Employees report issues with the 3CX app, and the IT security team identifies unusual communication patterns linked to recent software updates.

As the threat intelligence analyst, it's your responsibility to examine this possible supply chain attack. Your objectives are to uncover how the attackers compromised the 3CX app, identify the potential threat actor involved, and assess the overall extent of the incident.

 

Q1. Understanding the scope of the attack and identifying which versions exhibit malicious behavior is crucial for making informed decisions if these compromised versions are present in the organization. How many versions of 3CX running on Windows have been flagged as malware?

https://duo.com/decipher/3cx-windows-app-compromised-in-supply-chain-attack

3CX Windows App Compromised in Supply Chain Attack

위 포스팅에서 3CXDesktopApp의 18.12.407와 18.12.416 버전에서 CrowdStrike의 연구원들의 유효한 디지털 인증서로 서명된 악성코드가 발견되었음을 확인할 수 있습니다.

 

답 : 2

 

Q2. Determining the age of the malware can help assess the extent of the compromise and track the evolution of malware families and variants. What's the UTC creation time of the .msi malware?

문제에서 제공된 악성코드를 VT에 업로드한 결과 2023년 3월 13일, 6시 33분 26초에 컴파일된 바이너리임을 확인할 수 있습니다.

 

답 : 2023-03-13 06:33:26 UTC

 

 

Q3. Executable files (.exe) are frequently used as primary or secondary malware payloads, while dynamic link libraries (.dll) often load malicious code or enhance malware functionality. Analyzing files deposited by the Microsoft Software Installer (.msi) is crucial for identifying malicious files and investigating their full potential. Which malicious DLLs were dropped by the .msi file?

https://www.picussecurity.com/resource/blog/smoothoperator-analysis-of-3cxdesktopapp-supply-chain-attack

3CX Desktop App Supply Chain Attack (SmoothOperator) Analysis

ffmpeg.dll에 대하여 DLL-Side-Loading을 시도하고, 결국 최종적인 악성 행위는 ffmpeg.dll에서 로드하는 d3dcompiler_47.dll에서 수행하게 됩니다.

흥미롭네요, 오늘 시간이 된다면 DLL-Side-Loading 부분만 분석해서 업로드해보도록 하겠습니다.

 

답 : ffmpeg.dll d3dcompiler_47.dll

 

 

Q4. Recognizing the persistence techniques used in this incident is essential for current mitigation strategies and future defense improvements. What is the MITRE sub-technique ID employed by the .msi files to load the malicious DLL?

https://attack.mitre.org/techniques/T1574/002/

Hijack Execution Flow: DLL Side-Loading, Sub-technique T1574.002 - Enterprise | MITRE ATT&CK®

 

DLL-Side-Loading과 관련된 Techniques는 Hijack Execution Flow: DLL Side-Loading 입니다.

 

답 : T1574.002

 

 

Q5. Recognizing the malware type (threat category) is essential to your investigation, as it can offer valuable insight into the possible malicious actions you'll be examining. What is the threat category of the two malicious DLLs?

https://www.picussecurity.com/resource/blog/smoothoperator-analysis-of-3cxdesktopapp-supply-chain-attack

3CX Desktop App Supply Chain Attack (SmoothOperator) Analysis

 

3번에서 확인한 정보와 같이 정상 dll처럼 위장한 악성 dll을 통해 악성 행위를 수행합니다. 이로써 트로이 목마 형식으로 동작한다는 것을 확인할 수 있습니다.

 

답 : trojan

 

 

Q6. As a threat intelligence analyst conducting dynamic analysis, it's vital to understand how malware can evade detection in virtualized environments or analysis systems. This knowledge will help you effectively mitigate or address these evasive tactics. What is the MITRE ID for the virtualization/sandbox evasion techniques used by the two malicious DLLs?

https://attack.mitre.org/techniques/T1497/

Virtualization/Sandbox Evasion, Technique T1497 - Enterprise | MITRE ATT&CK®

 

Virtualization/Sandbox Evasion Techniques는 T1497입니다.

 

답 : T1497

 

 

Q7. When conducting malware analysis and reverse engineering, understanding anti-analysis techniques is vital to avoid wasting time. Which hypervisor is targeted by the anti-analysis techniques in the ffmpeg.dll file?

사실 제가 찾아본 바로는 ffmpeg.dll 파일에서 수행하는 anti-analysis 동작에 vmware를 체크하는게 없는 것 같은데, 제가 직접 코드를 분석해본게 아니라서 확신을 못하겠네요.

인사이트를 제공한 사이트들에서는 vmware 환경인지 체크한다는 내용을 못봤는데, 제가 못 찾은걸 수도 있을 것 같습니다.

그래서 이 문제는 T1497 이 Techniques와 관련된 다른 멀웨들의 동작을 바탕으로 추측하였습니다.

 

답 : vmware

 

 

Q8. Identifying the cryptographic method used in malware is crucial for understanding the techniques employed to bypass defense mechanisms and execute its functions fully. What encryption algorithm is used by the ffmpeg.dll file?

https://www.picussecurity.com/resource/blog/smoothoperator-analysis-of-3cxdesktopapp-supply-chain-attack

3CX Desktop App Supply Chain Attack (SmoothOperator) Analysis

 

d3dcompiler_47.dll에서 암호화된 쉘 코드를 RC4로 복호화하여 메모리에서 실행시키는 내용을 확인할 수 있습니다.

 

답 : rc4

 

 

Q9. As an analyst, you've recognized some TTPs involved in the incident, but identifying the APT group responsible will help you search for their usual TTPs and uncover other potential malicious activities. Which group is responsible for this attack?

https://www.picussecurity.com/resource/blog/smoothoperator-analysis-of-3cxdesktopapp-supply-chain-attack

3CX Desktop App Supply Chain Attack (SmoothOperator) Analysis

picussecurity에서 TA 그룹을 Lazarus 와 연관된 Labyrinth Chollima 그룹으로 프로파일링하였습니다.

 

답 : Lazarus