SYMBOLCOMMON_NAMEaka. SYNONYMS
win.3cx_backdoor (Back to overview)

3CX Backdoor

aka: SUDDENICON

Actor(s): Lazarus Group


According to CrowdStrike, this backdoor was discovered being embedded in a legitimate, signed version of 3CXDesktopApp, and thus constitutes a supply chain attack.

References
2023-04-20ESET ResearchPeter Kálnai, Marc-Etienne M.Léveillé
@online{klnai:20230420:linux:fd293b6, author = {Peter Kálnai and Marc-Etienne M.Léveillé}, title = {{Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack}}, date = {2023-04-20}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack}, language = {English}, urldate = {2023-04-25} } Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack
BADCALL 3CX Backdoor BADCALL IconicStealer
2023-04-03Youtube (MalwareAnalysisForHedgehogs)Karsten Hahn
@online{hahn:20230403:malware:892e68e, author = {Karsten Hahn}, title = {{Malware Analysis - 3CX SmoothOperator ffmpeg.dll with Binary Ninja}}, date = {2023-04-03}, organization = {Youtube (MalwareAnalysisForHedgehogs)}, url = {https://www.youtube.com/watch?v=fTX-vgSEfjk}, language = {English}, urldate = {2023-04-06} } Malware Analysis - 3CX SmoothOperator ffmpeg.dll with Binary Ninja
3CX Backdoor
2023-04-01Github (dodo-sec)dodo-sec
@online{dodosec:20230401:smoothoperator:1aa2e60, author = {dodo-sec}, title = {{SmoothOperator}}, date = {2023-04-01}, organization = {Github (dodo-sec)}, url = {https://github.com/dodo-sec/Malware-Analysis/blob/main/SmoothOperator/SmoothOperator.md}, language = {English}, urldate = {2023-04-03} } SmoothOperator
3CX Backdoor
2023-03-31vmwareThreat Analysis Unit
@online{unit:20230331:investigating:bf45200, author = {Threat Analysis Unit}, title = {{Investigating 3CX Desktop Application Attacks: What You Need to Know}}, date = {2023-03-31}, organization = {vmware}, url = {https://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html}, language = {English}, urldate = {2023-04-02} } Investigating 3CX Desktop Application Attacks: What You Need to Know
3CX Backdoor
2023-03-31ZscalerRohit Hegde, Niraj Shivtarkar, Meghraj Nandanwar
@online{hegde:20230331:3cx:7fb285c, author = {Rohit Hegde and Niraj Shivtarkar and Meghraj Nandanwar}, title = {{3CX Supply Chain Attack Campaign Campaign Analysis}}, date = {2023-03-31}, organization = {Zscaler}, url = {https://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023}, language = {English}, urldate = {2023-04-02} } 3CX Supply Chain Attack Campaign Campaign Analysis
3CX Backdoor
2023-03-31BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20230331:initial:6f10f80, author = {The BlackBerry Research & Intelligence Team}, title = {{Initial Implants and Network Analysis Suggest the 3CX Supply Chain Operation Goes Back to Fall 2022}}, date = {2023-03-31}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2023/03/initial-implants-and-network-analysis-suggest-the-3cx-supply-chain-operation-goes-back-to-fall-2022}, language = {English}, urldate = {2023-04-02} } Initial Implants and Network Analysis Suggest the 3CX Supply Chain Operation Goes Back to Fall 2022
3CX Backdoor
2023-03-31cybleCyble
@online{cyble:20230331:comprehensive:39bc743, author = {Cyble}, title = {{A Comprehensive Analysis of the 3CX Attack}}, date = {2023-03-31}, organization = {cyble}, url = {https://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack}, language = {English}, urldate = {2023-04-02} } A Comprehensive Analysis of the 3CX Attack
3CX Backdoor
2023-03-31Group-IBGroup-IB
@online{groupib:20230331:36gate:9107003, author = {Group-IB}, title = {{36gate: supply chain attack}}, date = {2023-03-31}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter&utm_campaign=3cx-blog&utm_medium=social}, language = {English}, urldate = {2023-04-02} } 36gate: supply chain attack
3CX Backdoor
2023-03-31splunkSplunk Threat Research Team
@online{team:20230331:splunk:38f1f9f, author = {Splunk Threat Research Team}, title = {{Splunk Insights: Investigating the 3CXDesktopApp Supply Chain Compromise}}, date = {2023-03-31}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html}, language = {English}, urldate = {2023-04-02} } Splunk Insights: Investigating the 3CXDesktopApp Supply Chain Compromise
3CX Backdoor
2023-03-31Reversing LabsKarlo Zanki
@online{zanki:20230331:red:61b2c78, author = {Karlo Zanki}, title = {{Red flags flew over software supply chain-compromised 3CX update}}, date = {2023-03-31}, organization = {Reversing Labs}, url = {https://www.reversinglabs.com/blog/red-flags-fly-over-supply-chain-compromised-3cx-update}, language = {English}, urldate = {2023-04-02} } Red flags flew over software supply chain-compromised 3CX update
3CX Backdoor
2023-03-30Huntress LabsJohn Hammond
@online{hammond:20230330:3cx:bba6690, author = {John Hammond}, title = {{3CX VoIP Software Compromise & Supply Chain Threats}}, date = {2023-03-30}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats}, language = {English}, urldate = {2023-04-02} } 3CX VoIP Software Compromise & Supply Chain Threats
3CX Backdoor
2023-03-30SymantecThreat Hunter Team
@online{team:20230330:3cx:fb5b214, author = {Threat Hunter Team}, title = {{3CX: Supply Chain Attack Affects Thousands of Users Worldwide}}, date = {2023-03-30}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack}, language = {English}, urldate = {2023-04-02} } 3CX: Supply Chain Attack Affects Thousands of Users Worldwide
3CX Backdoor IconicStealer
2023-03-30Cado SecurityCado Security
@online{security:20230330:forensic:77e03e1, author = {Cado Security}, title = {{Forensic Triage of a Windows System running the Backdoored 3CX Desktop App}}, date = {2023-03-30}, organization = {Cado Security}, url = {https://www.cadosecurity.com/forensic-triage-of-a-windows-system-running-the-backdoored-3cx-desktop-app/}, language = {English}, urldate = {2023-04-02} } Forensic Triage of a Windows System running the Backdoored 3CX Desktop App
3CX Backdoor
2023-03-30Rapid7 LabsRapid7
@online{rapid7:20230330:backdoored:9d84780, author = {Rapid7}, title = {{Backdoored 3CXDesktopApp Installer Used in Active Threat Campaign}}, date = {2023-03-30}, organization = {Rapid7 Labs}, url = {https://www.rapid7.com/blog/post/2023/03/30/backdoored-3cxdesktopapp-installer-used-in-active-threat-campaign/}, language = {English}, urldate = {2023-04-02} } Backdoored 3CXDesktopApp Installer Used in Active Threat Campaign
3CX Backdoor
2023-03-30CrowdStrikeCS ENGINEER
@online{engineer:20230330:20230329:49be400, author = {CS ENGINEER}, title = {{2023-03-29 // SITUATIONAL AWARENESS // CrowdStrike Tracking Active Intrusion Campaign Targeting 3CX Customers}}, date = {2023-03-30}, organization = {CrowdStrike}, url = {https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/}, language = {English}, urldate = {2023-04-02} } 2023-03-29 // SITUATIONAL AWARENESS // CrowdStrike Tracking Active Intrusion Campaign Targeting 3CX Customers
3CX Backdoor
2023-03-30Trend MicroTrend Micro Research
@online{research:20230330:developing:2895b8a, author = {Trend Micro Research}, title = {{Developing Story: Information on Attacks Involving 3CX Desktop App}}, date = {2023-03-30}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html}, language = {English}, urldate = {2023-04-02} } Developing Story: Information on Attacks Involving 3CX Desktop App
3CX Backdoor IconicStealer
2023-03-30VolexityAnkur Saini, Callum Roxan, Charlie Gardner, Paul Rascagnères, Steven Adair, Thomas Lancaster
@online{saini:20230330:3cx:82b291e, author = {Ankur Saini and Callum Roxan and Charlie Gardner and Paul Rascagnères and Steven Adair and Thomas Lancaster}, title = {{3CX Supply Chain Compromise Leads to ICONIC Incident}}, date = {2023-03-30}, organization = {Volexity}, url = {https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/}, language = {English}, urldate = {2023-03-30} } 3CX Supply Chain Compromise Leads to ICONIC Incident
3CX Backdoor IconicStealer
2023-03-30FortiguardFortiGuard Labs
@online{labs:20230330:3cx:32dbee5, author = {FortiGuard Labs}, title = {{3CX Desktop App Compromised (CVE-2023-29059)}}, date = {2023-03-30}, organization = {Fortiguard}, url = {https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised}, language = {English}, urldate = {2023-04-02} } 3CX Desktop App Compromised (CVE-2023-29059)
3CX Backdoor
2023-03-30OALabsSergei Frankoff
@online{frankoff:20230330:3cx:244fb6e, author = {Sergei Frankoff}, title = {{3CX Supply Chain Attack}}, date = {2023-03-30}, organization = {OALabs}, url = {https://research.openanalysis.net/3cx/northkorea/apt/triage/2023/03/30/3cx-malware.html#Functionality}, language = {English}, urldate = {2023-04-06} } 3CX Supply Chain Attack
3CX Backdoor
2023-03-30ElasticDaniel Stepanic, Remco Sprooten, Joe Desimone, Samir Bousseaden, Devon Kerr
@online{stepanic:20230330:elastic:8671074, author = {Daniel Stepanic and Remco Sprooten and Joe Desimone and Samir Bousseaden and Devon Kerr}, title = {{Elastic users protected from SUDDENICON’s supply chain attack}}, date = {2023-03-30}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack}, language = {English}, urldate = {2023-04-02} } Elastic users protected from SUDDENICON’s supply chain attack
3CX Backdoor
2023-03-29SentinelOneJuan Andrés Guerrero-Saade
@online{guerrerosaade:20230329:smoothoperator:42df1eb, author = {Juan Andrés Guerrero-Saade}, title = {{SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack}}, date = {2023-03-29}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/}, language = {English}, urldate = {2023-03-30} } SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack
3CX Backdoor
2023-03-29CrowdStrikeResearch & Threat Intel
@online{intel:20230329:crowdstrike:cafb1f8, author = {Research & Threat Intel}, title = {{CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers}}, date = {2023-03-29}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/}, language = {English}, urldate = {2023-03-30} } CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers
3CX Backdoor
Yara Rules
[TLP:WHITE] win_3cx_backdoor_auto (20230715 | Detects win.3cx_backdoor.)
rule win_3cx_backdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.3cx_backdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c645c800 41b805000000 488d1528fe0200 488d4dc8 e8???????? 90 4c8d4dc8 }
            // n = 7, score = 100
            //   c645c800             | shl                 ecx, 0x16
            //   41b805000000         | dec                 ebp
            //   488d1528fe0200       | add                 eax, edx
            //   488d4dc8             | xor                 eax, ecx
            //   e8????????           |                     
            //   90                   | inc                 ebp
            //   4c8d4dc8             | mov                 edx, eax

        $sequence_1 = { c60120 488b8360040000 4c0128 8b4b20 83f9ff 7408 4503cd }
            // n = 7, score = 100
            //   c60120               | dec                 eax
            //   488b8360040000       | mov                 dword ptr [ebp - 0x18], eax
            //   4c0128               | dec                 eax
            //   8b4b20               | lea                 ecx, [ebp - 0x18]
            //   83f9ff               | dec                 ecx
            //   7408                 | mov                 eax, dword ptr [esi]
            //   4503cd               | mov                 byte ptr [ebp - 0x20], dl

        $sequence_2 = { 7512 ff15???????? 8bc8 e8???????? e9???????? 2bc3 488d0d0387fdff }
            // n = 7, score = 100
            //   7512                 | sub                 eax, ecx
            //   ff15????????         |                     
            //   8bc8                 | dec                 eax
            //   e8????????           |                     
            //   e9????????           |                     
            //   2bc3                 | add                 eax, -8
            //   488d0d0387fdff       | dec                 eax

        $sequence_3 = { 482bc1 4883c0f8 4883f81f 0f87ad020000 e8???????? 4c897580 48c745880f000000 }
            // n = 7, score = 100
            //   482bc1               | inc                 ebp
            //   4883c0f8             | xor                 eax, eax
            //   4883f81f             | mov                 dword ptr [esp + 0x20], edi
            //   0f87ad020000         | xor                 edx, edx
            //   e8????????           |                     
            //   4c897580             | inc                 ebp
            //   48c745880f000000     | xor                 esp, esp

        $sequence_4 = { 807b1900 0f8595000000 4c8b6618 498b28 0f1f4000 0f1f840000000000 48895c2438 }
            // n = 7, score = 100
            //   807b1900             | mov                 eax, edx
            //   0f8595000000         | dec                 eax
            //   4c8b6618             | not                 eax
            //   498b28               | dec                 eax
            //   0f1f4000             | shr                 eax, 5
            //   0f1f840000000000     | dec                 eax
            //   48895c2438           | lea                 eax, [eax*4 + 4]

        $sequence_5 = { 0f85c7000000 48897c2430 48897c2440 4c89742448 41b804000000 488d1595820300 488d4c2430 }
            // n = 7, score = 100
            //   0f85c7000000         | inc                 ecx
            //   48897c2430           | inc                 esi
            //   48897c2440           | inc                 esp
            //   4c89742448           | mov                 dword ptr [esp + 0x30], ebp
            //   41b804000000         | dec                 esp
            //   488d1595820300       | mov                 dword ptr [esp + 0x38], ebp
            //   488d4c2430           | nop                 word ptr [eax + eax]

        $sequence_6 = { 8b4f40 41bf0b000000 83f90e 0f8569020000 488d4f48 488d55d8 e8???????? }
            // n = 7, score = 100
            //   8b4f40               | dec                 eax
            //   41bf0b000000         | inc                 edx
            //   83f90e               | dec                 eax
            //   0f8569020000         | mov                 ecx, dword ptr [esp + 0x30]
            //   488d4f48             | cmp                 byte ptr [ebx + 0x29], 0
            //   488d55d8             | jne                 0x18a0
            //   e8????????           |                     

        $sequence_7 = { 482bc2 4d8bf8 48c1f804 482bf2 49b8ffffffffffffff0f 4c8bf1 493bc0 }
            // n = 7, score = 100
            //   482bc2               | dec                 eax
            //   4d8bf8               | lea                 edx, [0x3941f]
            //   48c1f804             | inc                 ebp
            //   482bf2               | xor                 edi, edi
            //   49b8ffffffffffffff0f     | jmp    0x4a1
            //   4c8bf1               | inc                 ecx
            //   493bc0               | mov                 esp, 0x19

        $sequence_8 = { 0f840e010000 498bce bec57d0f00 e8???????? 488bd8 4885c0 }
            // n = 6, score = 100
            //   0f840e010000         | dec                 eax
            //   498bce               | mov                 dword ptr [ebx + 0x18], 0xf
            //   bec57d0f00           | movups              xmmword ptr [edi], xmm0
            //   e8????????           |                     
            //   488bd8               | dec                 eax
            //   4885c0               | lea                 ecx, [edi + 0x10]

        $sequence_9 = { eb27 c6030d 4c8d1d4688fdff eb1b 498b8ceb20260400 8a44f938 }
            // n = 6, score = 100
            //   eb27                 | dec                 eax
            //   c6030d               | cmp                 edx, 0x1000
            //   4c8d1d4688fdff       | dec                 ecx
            //   eb1b                 | mov                 dword ptr [edi], eax
            //   498b8ceb20260400     | inc                 ecx
            //   8a44f938             | mov                 byte ptr [edi + 8], 1

    condition:
        7 of them and filesize < 585728
}
[TLP:WHITE] win_3cx_backdoor_w0   (20230331 | Detects 3CX installers created in March 2023, 3CX was known to be compromised at this time.)
rule win_3cx_backdoor_w0 {
    meta:
        author = "threatintel@volexity.com"
        date = "2023-03-30"
        description = "Detects 3CX installers created in March 2023, 3CX was known to be compromised at this time."
        hash1 = "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868"
        reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
        memory_suitable = 0
        license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor"
        malpedia_version = "20230331"
        malpedia_rule_date = "20230331"
        malpedia_hash = ""
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"
    strings:
        $cert =  { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 }
        $app = "3CXDesktopApp.exe"
        $data = "202303"

    condition:
        all of them
}
[TLP:WHITE] win_3cx_backdoor_w1   (20230331 | Detection of malicious ICO files used in 3CX compromise.)
rule win_3cx_backdoor_w1 {
    meta:
        author = "threatintel@volexity.com"
        description = "Detection of malicious ICO files used in 3CX compromise."
        date = "2023-03-30"
        hash1 = "a541e5fc421c358e0a2b07bf4771e897fb5a617998aa4876e0e1baa5fbb8e25c"
        memory_suitable = 0
        license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor"
        malpedia_version = "20230331"
        malpedia_rule_date = "20230331"
        malpedia_hash = ""
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"
    strings:
        $IEND_dollar = {49 45 4e 44 ae 42 60 82 24} // IEND.B`.$
        $IEND_nodollar = {49 45 4e 44 ae 42 60 82 } // IEND.B`.

    condition:
        uint16be(0) == 0x0000 and
        filesize < 120KB and
        (
            $IEND_dollar in (filesize-500..filesize) and not
            $IEND_nodollar in (filesize-20..filesize) and
            for any k in (1..#IEND_dollar):
                (
                for all i in (1..4):
                    (
                        // in range [0-9a-zA-Z]
                        uint8(@IEND_dollar[k]+!IEND_dollar[k] + i ) < 123 and
                        uint8(@IEND_dollar[k]+!IEND_dollar[k] + i) > 47
                    )
                )
        )
}
Download all Yara Rules