3CX Backdoor (Malware Family)

osx.3cx_backdoor (Back to overview)

3CX Backdoor

Actor(s): Lazarus Group

There is no description at this point.

References

2023-04-01 ⋅ Objective-See ⋅ Patrick Wardle
Ironing out (the macOS) details of a Smooth Operator (Part II)
3CX Backdoor

2023-03-29 ⋅ Objective-See ⋅ Patrick Wardle
Ironing out (the macOS details) of a Smooth Operator
3CX Backdoor

Yara Rules

[TLP:WHITE] osx_3cx_backdoor_w0 (20230331 | Detects the MACOS version of the ICONIC loader.)

rule osx_3cx_backdoor_w0 {
    meta:
        author = "threatintel@volexity.com"
        date = "2023-03-30"
        description = "Detects the MACOS version of the ICONIC loader."
        hash1 = "a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67"
        reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
        memory_suitable = 1
        license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/osx.3cx_backdoor"
        malpedia_version = "20230331"
        malpedia_rule_date = "20230331"
        malpedia_hash = ""
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"
    strings:
        $str1 = "3CX Desktop App" xor(0x01-0xff)
        $str2 = "__tutma=" xor(0x01-0xff)
        $str3 = "Mozilla/5.0" xor(0x01-0xff)

    condition:
        all of them
}

Download all Yara Rules

3CX Backdoor Propose Change

References

Yara Rules

3CX Backdoor