In March 2023, multiple security vendors began reporting the detection of malicious activity coming from a legitimate and signed binary called “3CXDesktopApp”. The activity was detected on March 22, 2023, when users of 3CX began to notice potential false-positive detections of 3CXDesktopApp by their endpoint security agents.
The compromised binary in this case is a software-based Private Automatic Branch Exchange (PABX) Voice over Internet Protocol (VoIP) phone system developed by the company 3CX, and it was compromised through a supply chain attack suspected to have the involvement of the North Korean-based adversary known as Lazarus Group. Lazarus Group, also known as Hidden Cobra, is a state-sponsored adversary attributed to the Reconnaissance General Bureau (RGB) of the Democratic People’s Republic of Korea (DPRK), whose activities were previously emulated by AttackIQ in early 2023.
According to the intelligence reported by CrowdStrike, the malicious activity detected includes beaconing information to adversary-controlled infrastructure, deploying second-stage payloads and, in a small number of cases, hands-on keyboard activity. In a more recent report, published by SecureList in early April 2023, researchers describe the presence of a Dynamic Link Library (DLL) file on the systems of one of the victims affected by the attack, which is similar to those used in the deployment of a backdoor known as “Gopuram”. Gopuram has also been observed to coexist on victims’ systems with AppleJeus, a backdoor attributed to the Lazarus Group.
According to the information reported by SecureList, Gopuram is a backdoor that has been tracked internally since 2020 and during its years of activity, only a few victims were observed to have been compromised. As of March 2023, the number of infections with this backdoor began to increase, an increase that is directly related to the 3CX supply chain attack.
AttackIQ has released a new attack graph emulating this activity recently conducted by Lazarus Group to help customers validate their security controls and their ability to defend against this threat. Validating the performance of your security program against these behaviors is vital to reducing risk. By using these new attack graph in the AttackIQ Security Optimization Platform, security teams will be able to:
- Evaluate the performance of security controls against this current large-scale threat.
- Assess security posture against a sophisticated adversary such as the Lazarus Group.
- Continually validate detection and prevention pipelines against techniques shared among many of the North Korean adversaries.
Lazarus Group – 2023-03 – 3CXDesktopApp Supply Chain Compromise
As reported by sources such as CrowdStrike, SecureList, Qualys, and Sophos, this attack starts with the execution of a Microsoft Software Installer (MSI) which aims at dropping a compromised DLL called ffmpeg.dll and the benign application 3CXDesktopApp, which is then abused to perform the DLL Sideloading technique of the compromised DLL.
Once the execution of the DLL is completed, a unique identifier of the victim is obtained by accessing the registry key MachineGuid located in HKLM\SOFTWARE\Microsoft\Cryptography. This unique identifier is used to register the victim in the adversary’s infrastructure via an HTTP POST request.
Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test both network and endpoint controls and their ability to prevent the delivery of known malicious files.
Hijack Execution Flow: DLL Side-Loading (T1547.002): Bundles a DLL with a Windows executable that is susceptible to DLL Side-Loading to execute actor code.
Query Registry (T1012): The HKCU\Software\Microsoft\Cryptography\MachineGuid
registry key contains the globally unique identifier (GUID) of the Windows system.
Application Layer Protocol: Web Protocols (T1071.001): This scenario emulates the initial HTTP POST request made by the SUDDENICON malware used in the 3CXDesktopApp supply chain compromise by making an HTTP POST to an AttackIQ server that mimics the format used by the real infection.
The second stage of the attack begins with the download and saving of the infostealer used by Lazarus, which is executed using the Reflective DLL Injection technique, which aims to load code into the processes’ own memory instead of that of a separate process.
Next, the malware will seek to obtain information from the system and browsers by executing API calls and file collection.
Reflective DLL Injection (T1620): This scenario takes a default AttackIQ DLL and loads it into the memory space of its own process in order to execute the desired DLL function.
System Information Discovery (T1082): The native systeminfo
command is executed to retrieve all of the Windows system information.
In the third stage of the attack, the DLL Search Order Hijacking technique is used to execute a DLL, whose final objective is to load and execute the main module of the Gopuram backdoor by using the reflective DLL Injection technique.
Once the execution of the backdoor is completed, all of its capabilities are emulated, such as discovering connections to other hosts, scanning the system registry, creating new services, listing active processes, discovering users, permissions and the list of active sessions on the network through the net command, injecting code into active processes and using Timestomping, which allows the attacker to modify the timestamp of a file, either modification, creation or access times.
Hijack Execution Flow: DLL Search Order Hijacking (T1574.001): This scenario takes advantage of Microsoft’s Dynamic-Link Library (DLL) search order to load a rogue DLL into a system binary, leveraging the fact that the system binary will be often trusted by system administrators so that malicious code can run inside it without being examined.
Internet Connection Discovery (T1016.001): The scenario uses the ping command to Google’s 8.8.8.8
DNS server to verify internet connectivity.
Create or Modify System Process: Windows Service (T1543.003): Creates a new service using the native sc.exe
utility.
Process Discovery (T1057): Window’s built-in tasklist
command is executed as a command process and the results are saved to a file in a temporary location.
Account Discovery: Local Account (T1087.001): The native net user
command is executed to get a list of local accounts.
System Network Connections Discovery (T1049): The native Windows command line net session
is used to collect active connections running on the host.
Permission Groups Discovery: Local Groups (T1069.001): The actor is interested in finding out the memberships of privileged local groups like Remote Desktop Users and Local Administrators. They accomplish this by executing net localgroup
lookups.
Process Injection (T1055): This scenario injects a DLL file into another running process and validates if a canary file can be created.
Indicator Removal: Timestomp (T1070.006): This scenario will modify the timestamp of a temporary file using a PowerShell script.
Detection and Mitigation Opportunities
With so many different techniques being used by threat actors, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques:
1. DLL Side-Loading (T1547.002)
By using side-loading to load malicious code into a legitimate process actors can try to hide in normal system operating noise or abuse overzealous whitelisting.
1a. Detection
Searching for newly constructed processes or monitoring for DLL/PE file events, specifically for the creation and loading of DLLs into running processes can help identify when a system process has been compromised.
1b. Mitigation
2. Reflective DLL Injection (T1620)
Adversaries may reflectively load code into the processes’ own memory to conceal the execution of malicious payloads.
2a. Detection
Monitoring code artifacts associated with reflectively loading code such the abuse of Native API and .NET functions can help identify reflective DLL injections.
2b. Mitigation
This attack cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
3. DLL Search Order Hijacking (T1574.001)
By hijacking the search order used to load Dynamic Link Libraries (DLLs), adversaries can execute their own malicious payloads.
3a. Detection
Monitoring for newly constructed or modified .manifest and .local redirection files that do not correlate with software updates can allow the detection of this technique.
3b. Mitigation
Wrap-up
In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against a supply chain attack carried out by a highly sophisticated North Korean adversary. With data generated from continuous testing and use of this attack graph, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.
AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our co-managed security service, AttackIQ Vanguard.