According to CrowdStrike, this backdoor was discovered being embedded in a legitimate, signed version of 3CXDesktopApp, and thus constitutes a supply chain attack.
rule win_3cx_backdoor_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2023-12-06"
version = "1"
description = "Detects win.3cx_backdoor."
info = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.6.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor"
malpedia_rule_date = "20231130"
malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
malpedia_version = "20230808"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { 8bc8 c1e907 33c1 81c287d61200 8bc8 c1e116 33c1 }
// n = 7, score = 100
// 8bc8 | sub ecx, 1
// c1e907 | dec eax
// 33c1 | lea ecx, [ebp - 0x30]
// 81c287d61200 | dec eax
// 8bc8 | mov eax, esi
// c1e116 | dec eax
// 33c1 | mov ecx, dword ptr [ebp - 0x10]
$sequence_1 = { 84d2 7430 3811 742c e8???????? c70016000000 }
// n = 6, score = 100
// 84d2 | dec esp
// 7430 | mov edi, dword ptr [esp + 0x20]
// 3811 | dec eax
// 742c | mov ecx, esi
// e8???????? |
// c70016000000 | dec eax
$sequence_2 = { 8bfb 48895c2430 4c89742428 4983e7f0 4d8d243f 498d442410 }
// n = 6, score = 100
// 8bfb | mov dword ptr [esp + 0x20], eax
// 48895c2430 | inc ecx
// 4c89742428 | mov edx, edi
// 4983e7f0 | dec eax
// 4d8d243f | mov ecx, edi
// 498d442410 | dec eax
$sequence_3 = { 4a0fbe841940250300 428a8c1950250300 482bd0 8b42fc d3e8 49895108 41894118 }
// n = 7, score = 100
// 4a0fbe841940250300 | dec eax
// 428a8c1950250300 | arpl word ptr [eax], cx
// 482bd0 | dec eax
// 8b42fc | mov eax, ecx
// d3e8 | dec eax
// 49895108 | sar eax, 6
// 41894118 | dec eax
$sequence_4 = { 4c8bce 4c8bc5 488bd7 498bcf e8???????? 498bc6 488b5c2460 }
// n = 7, score = 100
// 4c8bce | dec eax
// 4c8bc5 | lea eax, [0x2de58]
// 488bd7 | dec eax
// 498bcf | cmp ecx, eax
// e8???????? |
// 498bc6 | je 0x235
// 488b5c2460 | dec eax
$sequence_5 = { 498bd7 4489642448 48897c2440 44894c2438 4c8d4d97 4889442430 4489642428 }
// n = 7, score = 100
// 498bd7 | inc ecx
// 4489642448 | cmp ebx, eax
// 48897c2440 | dec eax
// 44894c2438 | imul eax, ebp
// 4c8d4d97 | mov edx, ecx
// 4889442430 | xor ecx, ecx
// 4489642428 | dec eax
$sequence_6 = { 7428 85db 7524 488d0d7ef90200 e8???????? 85c0 7510 }
// n = 7, score = 100
// 7428 | dec eax
// 85db | cmp ebx, edi
// 7524 | je 0x592
// 488d0d7ef90200 | dec eax
// e8???????? |
// 85c0 | cmp edx, dword ptr [ebp - 0x10]
// 7510 | dec eax
$sequence_7 = { 4889742458 488b7108 33d2 488bce 48c1eb05 492bc9 }
// n = 6, score = 100
// 4889742458 | lea eax, [eax + ecx*4]
// 488b7108 | inc ecx
// 33d2 | movzx ecx, cl
// 488bce | jmp 0xe1
// 48c1eb05 | dec ebp
// 492bc9 | mov esp, edi
$sequence_8 = { 4983c708 4533d2 32d2 4c897c2420 80fb30 7512 b201 }
// n = 7, score = 100
// 4983c708 | mov eax, ebx
// 4533d2 | inc ebp
// 32d2 | test edi, edi
// 4c897c2420 | je 0x2f9
// 80fb30 | inc ebp
// 7512 | xor ebx, ebx
// b201 | dec eax
$sequence_9 = { 0fb608 880a 488d5210 488b4808 48894af8 448820 }
// n = 6, score = 100
// 0fb608 | add edx, eax
// 880a | dec ebp
// 488d5210 | imul edx, esp
// 488b4808 | inc ecx
// 48894af8 | lea ecx, [ecx + edx]
// 448820 | inc ecx
condition:
7 of them and filesize < 585728
}
[TLP:WHITE] win_3cx_backdoor_w0 (20230331 | Detects 3CX installers created in March 2023, 3CX was known to be compromised at this time.)
rule win_3cx_backdoor_w0 {
meta:
author = "threatintel@volexity.com"
date = "2023-03-30"
description = "Detects 3CX installers created in March 2023, 3CX was known to be compromised at this time."
hash1 = "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868"
reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
memory_suitable = 0
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor"
malpedia_version = "20230331"
malpedia_rule_date = "20230331"
malpedia_hash = ""
malpedia_license = ""
malpedia_sharing = "TLP:WHITE"
strings:
$cert = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 }
$app = "3CXDesktopApp.exe"
$data = "202303"
condition:
all of them
}
[TLP:WHITE] win_3cx_backdoor_w1 (20230331 | Detection of malicious ICO files used in 3CX compromise.)
rule win_3cx_backdoor_w1 {
meta:
author = "threatintel@volexity.com"
description = "Detection of malicious ICO files used in 3CX compromise."
date = "2023-03-30"
hash1 = "a541e5fc421c358e0a2b07bf4771e897fb5a617998aa4876e0e1baa5fbb8e25c"
memory_suitable = 0
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor"
malpedia_version = "20230331"
malpedia_rule_date = "20230331"
malpedia_hash = ""
malpedia_license = ""
malpedia_sharing = "TLP:WHITE"
strings:
$IEND_dollar = {49 45 4e 44 ae 42 60 82 24} // IEND.B`.$
$IEND_nodollar = {49 45 4e 44 ae 42 60 82 } // IEND.B`.
condition:
uint16be(0) == 0x0000 and
filesize < 120KB and
(
$IEND_dollar in (filesize-500..filesize) and not
$IEND_nodollar in (filesize-20..filesize) and
for any k in (1..#IEND_dollar):
(
for all i in (1..4):
(
// in range [0-9a-zA-Z]
uint8(@IEND_dollar[k]+!IEND_dollar[k] + i ) < 123 and
uint8(@IEND_dollar[k]+!IEND_dollar[k] + i) > 47
)
)
)
}