SYMBOLCOMMON_NAMEaka. SYNONYMS
win.3cx_backdoor (Back to overview)

3CX Backdoor

aka: SUDDENICON

Actor(s): Lazarus Group

VTCollection    

According to CrowdStrike, this backdoor was discovered being embedded in a legitimate, signed version of 3CXDesktopApp, and thus constitutes a supply chain attack.

References
2023-10-04Virus BulletinPeter Kálnai
Lazarus Campaigns and Backdoors in 2022-23
SimpleTea POOLRAT 3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SnatchCrypto wAgentTea WebbyTea WinInetLoader
2023-08-30Kaspersky LabsDavid Emm
IT threat evolution in Q2 2023
3CX Backdoor Bankshot BLINDINGCAN GoldMax Kazuar QUIETCANARY tomiris GoldenJackal
2023-04-20ESET ResearchMarc-Etienne M.Léveillé, Peter Kálnai
Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack
BADCALL SimpleTea POOLRAT 3CX Backdoor BADCALL IconicStealer
2023-04-03Youtube (MalwareAnalysisForHedgehogs)Karsten Hahn
Malware Analysis - 3CX SmoothOperator ffmpeg.dll with Binary Ninja
3CX Backdoor
2023-04-01Github (dodo-sec)dodo-sec
SmoothOperator
3CX Backdoor
2023-03-31cybleCyble
A Comprehensive Analysis of the 3CX Attack
3CX Backdoor
2023-03-31Group-IBGroup-IB
36gate: supply chain attack
3CX Backdoor
2023-03-31vmwareThreat Analysis Unit
Investigating 3CX Desktop Application Attacks: What You Need to Know
3CX Backdoor
2023-03-31Reversing LabsKarlo Zanki
Red flags flew over software supply chain-compromised 3CX update
3CX Backdoor
2023-03-31BlackberryThe BlackBerry Research & Intelligence Team
Initial Implants and Network Analysis Suggest the 3CX Supply Chain Operation Goes Back to Fall 2022
3CX Backdoor
2023-03-31splunkSplunk Threat Research Team
Splunk Insights: Investigating the 3CXDesktopApp Supply Chain Compromise
3CX Backdoor
2023-03-31ZscalerMeghraj Nandanwar, Niraj Shivtarkar, Rohit Hegde
3CX Supply Chain Attack Campaign Campaign Analysis
3CX Backdoor
2023-03-30Rapid7 LabsRapid7
Backdoored 3CXDesktopApp Installer Used in Active Threat Campaign
3CX Backdoor
2023-03-30Huntress LabsJohn Hammond
3CX VoIP Software Compromise & Supply Chain Threats
3CX Backdoor
2023-03-30Cado SecurityCado Security
Forensic Triage of a Windows System running the Backdoored 3CX Desktop App
3CX Backdoor
2023-03-30CrowdStrikeCS ENGINEER
2023-03-29 // SITUATIONAL AWARENESS // CrowdStrike Tracking Active Intrusion Campaign Targeting 3CX Customers
3CX Backdoor
2023-03-30FortiguardFortiGuard Labs
3CX Desktop App Compromised (CVE-2023-29059)
3CX Backdoor
2023-03-30SymantecThreat Hunter Team
3CX: Supply Chain Attack Affects Thousands of Users Worldwide
3CX Backdoor IconicStealer
2023-03-30OALabsSergei Frankoff
3CX Supply Chain Attack
3CX Backdoor
2023-03-30ElasticDaniel Stepanic, Devon Kerr, Joe Desimone, Remco Sprooten, Samir Bousseaden
Elastic users protected from SUDDENICON’s supply chain attack
3CX Backdoor
2023-03-30Trend MicroTrend Micro Research
Developing Story: Information on Attacks Involving 3CX Desktop App
3CX Backdoor IconicStealer
2023-03-30VolexityAnkur Saini, Callum Roxan, Charlie Gardner, Paul Rascagnères, Steven Adair, Thomas Lancaster
3CX Supply Chain Compromise Leads to ICONIC Incident
3CX Backdoor IconicStealer
2023-03-29CrowdStrikeResearch & Threat Intel
CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers
3CX Backdoor
2023-03-29SentinelOneJuan Andrés Guerrero-Saade
SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack
3CX Backdoor
Yara Rules
[TLP:WHITE] win_3cx_backdoor_auto (20230808 | Detects win.3cx_backdoor.)
rule win_3cx_backdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.3cx_backdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bc8 c1e907 33c1 81c287d61200 8bc8 c1e116 33c1 }
            // n = 7, score = 100
            //   8bc8                 | sub                 ecx, 1
            //   c1e907               | dec                 eax
            //   33c1                 | lea                 ecx, [ebp - 0x30]
            //   81c287d61200         | dec                 eax
            //   8bc8                 | mov                 eax, esi
            //   c1e116               | dec                 eax
            //   33c1                 | mov                 ecx, dword ptr [ebp - 0x10]

        $sequence_1 = { 84d2 7430 3811 742c e8???????? c70016000000 }
            // n = 6, score = 100
            //   84d2                 | dec                 esp
            //   7430                 | mov                 edi, dword ptr [esp + 0x20]
            //   3811                 | dec                 eax
            //   742c                 | mov                 ecx, esi
            //   e8????????           |                     
            //   c70016000000         | dec                 eax

        $sequence_2 = { 8bfb 48895c2430 4c89742428 4983e7f0 4d8d243f 498d442410 }
            // n = 6, score = 100
            //   8bfb                 | mov                 dword ptr [esp + 0x20], eax
            //   48895c2430           | inc                 ecx
            //   4c89742428           | mov                 edx, edi
            //   4983e7f0             | dec                 eax
            //   4d8d243f             | mov                 ecx, edi
            //   498d442410           | dec                 eax

        $sequence_3 = { 4a0fbe841940250300 428a8c1950250300 482bd0 8b42fc d3e8 49895108 41894118 }
            // n = 7, score = 100
            //   4a0fbe841940250300     | dec    eax
            //   428a8c1950250300     | arpl                word ptr [eax], cx
            //   482bd0               | dec                 eax
            //   8b42fc               | mov                 eax, ecx
            //   d3e8                 | dec                 eax
            //   49895108             | sar                 eax, 6
            //   41894118             | dec                 eax

        $sequence_4 = { 4c8bce 4c8bc5 488bd7 498bcf e8???????? 498bc6 488b5c2460 }
            // n = 7, score = 100
            //   4c8bce               | dec                 eax
            //   4c8bc5               | lea                 eax, [0x2de58]
            //   488bd7               | dec                 eax
            //   498bcf               | cmp                 ecx, eax
            //   e8????????           |                     
            //   498bc6               | je                  0x235
            //   488b5c2460           | dec                 eax

        $sequence_5 = { 498bd7 4489642448 48897c2440 44894c2438 4c8d4d97 4889442430 4489642428 }
            // n = 7, score = 100
            //   498bd7               | inc                 ecx
            //   4489642448           | cmp                 ebx, eax
            //   48897c2440           | dec                 eax
            //   44894c2438           | imul                eax, ebp
            //   4c8d4d97             | mov                 edx, ecx
            //   4889442430           | xor                 ecx, ecx
            //   4489642428           | dec                 eax

        $sequence_6 = { 7428 85db 7524 488d0d7ef90200 e8???????? 85c0 7510 }
            // n = 7, score = 100
            //   7428                 | dec                 eax
            //   85db                 | cmp                 ebx, edi
            //   7524                 | je                  0x592
            //   488d0d7ef90200       | dec                 eax
            //   e8????????           |                     
            //   85c0                 | cmp                 edx, dword ptr [ebp - 0x10]
            //   7510                 | dec                 eax

        $sequence_7 = { 4889742458 488b7108 33d2 488bce 48c1eb05 492bc9 }
            // n = 6, score = 100
            //   4889742458           | lea                 eax, [eax + ecx*4]
            //   488b7108             | inc                 ecx
            //   33d2                 | movzx               ecx, cl
            //   488bce               | jmp                 0xe1
            //   48c1eb05             | dec                 ebp
            //   492bc9               | mov                 esp, edi

        $sequence_8 = { 4983c708 4533d2 32d2 4c897c2420 80fb30 7512 b201 }
            // n = 7, score = 100
            //   4983c708             | mov                 eax, ebx
            //   4533d2               | inc                 ebp
            //   32d2                 | test                edi, edi
            //   4c897c2420           | je                  0x2f9
            //   80fb30               | inc                 ebp
            //   7512                 | xor                 ebx, ebx
            //   b201                 | dec                 eax

        $sequence_9 = { 0fb608 880a 488d5210 488b4808 48894af8 448820 }
            // n = 6, score = 100
            //   0fb608               | add                 edx, eax
            //   880a                 | dec                 ebp
            //   488d5210             | imul                edx, esp
            //   488b4808             | inc                 ecx
            //   48894af8             | lea                 ecx, [ecx + edx]
            //   448820               | inc                 ecx

    condition:
        7 of them and filesize < 585728
}
[TLP:WHITE] win_3cx_backdoor_w0   (20230331 | Detects 3CX installers created in March 2023, 3CX was known to be compromised at this time.)
rule win_3cx_backdoor_w0 {
    meta:
        author = "threatintel@volexity.com"
        date = "2023-03-30"
        description = "Detects 3CX installers created in March 2023, 3CX was known to be compromised at this time."
        hash1 = "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868"
        reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
        memory_suitable = 0
        license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor"
        malpedia_version = "20230331"
        malpedia_rule_date = "20230331"
        malpedia_hash = ""
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"
    strings:
        $cert =  { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 }
        $app = "3CXDesktopApp.exe"
        $data = "202303"

    condition:
        all of them
}
[TLP:WHITE] win_3cx_backdoor_w1   (20230331 | Detection of malicious ICO files used in 3CX compromise.)
rule win_3cx_backdoor_w1 {
    meta:
        author = "threatintel@volexity.com"
        description = "Detection of malicious ICO files used in 3CX compromise."
        date = "2023-03-30"
        hash1 = "a541e5fc421c358e0a2b07bf4771e897fb5a617998aa4876e0e1baa5fbb8e25c"
        memory_suitable = 0
        license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor"
        malpedia_version = "20230331"
        malpedia_rule_date = "20230331"
        malpedia_hash = ""
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"
    strings:
        $IEND_dollar = {49 45 4e 44 ae 42 60 82 24} // IEND.B`.$
        $IEND_nodollar = {49 45 4e 44 ae 42 60 82 } // IEND.B`.

    condition:
        uint16be(0) == 0x0000 and
        filesize < 120KB and
        (
            $IEND_dollar in (filesize-500..filesize) and not
            $IEND_nodollar in (filesize-20..filesize) and
            for any k in (1..#IEND_dollar):
                (
                for all i in (1..4):
                    (
                        // in range [0-9a-zA-Z]
                        uint8(@IEND_dollar[k]+!IEND_dollar[k] + i ) < 123 and
                        uint8(@IEND_dollar[k]+!IEND_dollar[k] + i) > 47
                    )
                )
        )
}
Download all Yara Rules