Skip to content

Files

Failed to load latest commit information.

Latest commit

 Cannot retrieve latest commit at this time.

History

History

3CXDesktopApp_Supply_Chain_Attack

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
Playbooks
Playbooks
 
 
ReleaseNotes
ReleaseNotes
 
 
doc_files
doc_files
 
 
.pack-ignore
.pack-ignore
 
 
.secrets-ignore
.secrets-ignore
 
 
README.md
README.md
 
 
pack_metadata.json
pack_metadata.json
 
 

README.md

This pack is part of the Rapid Breach Response pack.

Executive Summary

On March 29, 2023, CrowdStrike released a blog discussing a supply chain attack involving a software-based phone application called 3CXDesktopApp.

As of March 30, the 3CXDesktopApp installer hosted on the developer’s website will install the application with two malicious libraries included. The malicious libraries will ultimately run shellcode to load a backdoor on the system that allows actors to install additional malware on the victim machine.

Between March 9-30, 2023, we observed activity at 127 Cortex XDR customers that involved the 3CXDesktopApp process attempting to run shellcode, which was blocked by the XDR Agent’s In-process Shellcode Protection Module. Due to blocking the shellcode, we were unable to obtain the secondary payload used in this attack, so we cannot determine its capabilities or any post-exploitation activities carried out by the threat actor.

Pack Content

The pack contains a playbook named 3CXDesktopApp Supply Chain Attack which handles 3CXDesktopApp Supply Chain Attack investigation and response.

Playbook Flow

The playbook includes the following tasks:

Hunting:

  • Cortex XDR
    • XQL hunting queries
  • Advanced SIEM queries
    • Splunk
    • QRadar
    • Elasticsearch
    • Azure Log Analytics
  • Indicators hunting

References:

Threat Brief: 3CXDesktopApp Supply Chain Attack

CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers