Potential Compromised 3CXDesktopApp Update Activity

 1title: Potential Compromised 3CXDesktopApp Update Activity
 2id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a
 3related:
 4    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
 5      type: similar
 6    - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
 7      type: similar
 8    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
 9      type: similar
10    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
11      type: similar
12    - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec
13      type: similar
14    - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
15      type: similar
16    - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
17      type: similar
18status: test
19description: Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software
20references:
21    - https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/
22    - https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats
23author: Nasreddine Bencherchali (Nextron Systems)
24date: 2023/03/29
25tags:
26    - attack.defense_evasion
27    - attack.t1218
28    - attack.execution
29    - detection.emerging_threats
30logsource:
31    category: process_creation
32    product: windows
33detection:
34    selection:
35        Image|endswith: '\3CXDesktopApp\app\update.exe'
36        CommandLine|contains|all:
37            - '--update'
38            - 'http'
39            - '/electron/update/win32/18.12'
40    condition: selection
41falsepositives:
42    - Unknown
43level: high

References

• Thomas Roccia on LinkedIn: #3cx #cybersecurity #infosec #supplychainattack #3cxpocalypse | 111 comments

  

  🔍 If you are looking for a comprehensive overview of the current #3CX supply chain attack, I created a diagram that shows the attack flow for the Windows… | 111 comments on LinkedIn

  
  Read More

• 3CX VoIP Software Compromise & Supply Chain Threats

  

  The 3CX VoIP Desktop Application has been compromised to deliver malware via legitimate 3CX updates. Huntress has been investigating this incident and working to validate and assess the current supply chain threat to the security community.

  
  Read More

Related rules

• Potential Compromised 3CXDesktopApp Execution
• Potential Suspicious Child Process Of 3CXDesktopApp
• Pikabot Fake DLL Extension Execution Via Rundll32.EXE
• Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
• Binary Proxy Execution Via Dotnet-Trace.EXE