{ "id": "96e09f90-1270-46ad-ab91-91b653d801c2", "created_at": "2026-04-06T00:20:01.881999Z", "updated_at": "2026-04-10T03:20:24.717534Z", "deleted_at": null, "sha1_hash": "11e28266017dead73e54e4d940fe09447df30d9d", "title": "3CX Supply Chain Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 62105, "plain_text": "3CX Supply Chain Attack\r\nPublished: 2023-03-30 ยท Archived: 2026-04-05 13:56:28 UTC\r\nAnalysis\r\nLet's take a look at the .msi and see what is in there, we can just use 7zip to unzip it. Inside the .msi we have a\r\nbackdoored file ffmpeg.dll\r\nStage 1 ffmpeg.dll\r\nArtifacts\r\nffmpeg.dll 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896\r\nd3dcompiler_47.dll 11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03\r\nFunctionality\r\nUses CreateEventW with the string AVMonitorRefreshEvent like a mutex to ensure it is only running\r\nonce\r\nGets its process path (file location) to locate d3dcompiler_47.dll which it expects to be in the same\r\ndirectory\r\nScans d3dcompiler_47.dll for the magic hex bytes 0xFEEDFACE\r\nThe magic bytes 0xFEEDFACE occur twice in a row\r\nAll the file data following the magic bytes is decrypted with RC4 using the hard coded key 3jB(2bsG#@c7\r\nOnce decrypted the data contains shellcode followed by an embedded PE file (Stage 2) which is loaded\r\ninto memory and executed\r\nSigned DLL\r\nThe d3dcompiler_47.dll DLL is signed by Microsoft. The 0xFEEDFACE magic bytes suggest that the open\r\nsource tool SigFlip was used to patch the authenticode signed PE file without breaking the signature.\r\nStage 2\r\nArtifacts\r\nShellcode with stage 2 PE attached\r\nb56279136d816a11cf4db9fc1b249da04b3fa3aef4ba709b20cdfbe572394812\r\nFunctionality\r\nCreates a file called manifest in the directory from which the process was launched\r\nhttps://research.openanalysis.net/3cx/northkorea/apt/triage/2023/03/30/3cx-malware.html#Functionality\r\nPage 1 of 2\n\nThe manifest file is used to maintain a delay timer value for the malware\r\nThe delay is calculated by adding 7 days to a randomly generated value between 0 days and 20 days, 20\r\nhours for a total potential delay of between 7 days, and 20 days 20 hours\r\nWhen the malware executes this value is read from the manifest file and checked against the system\r\ntime, if the time has not expired the malware will simply sleep\r\nThe MachineGuid key value is read from the registry key Software\\\\Microsoft\\\\Cryptography then\r\ntransformed into the following \"cookie\" value to be used in future C2 requests\r\n_tutma=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx\r\nA random number generator is used to build a variation of the following URL with an icon file between\r\nicon1.ico and icon16.ico (either I'm not reading the code right or this is an off-by-one error as the\r\nicon files are number 0-15?)\r\nhttps[:]//raw.githubusercontent[.]com/IconStorages/images/main/icon%d.ico\r\nThe icon file is downloaded from GitHub and parsed to extract encoded data that is appended to the file\r\nThe appended data is preceded by a $ which the malware uses as a marker to identify it\r\nThe following is an example of the bas64 encoded data in icon15.ico\r\n`KQAAAGVhV4u+Eo4SGUuZypP8kNOkwQWzha6sxQrtzFo3oPSejc470WC47cKqv12+CshijG0HCfex40WinKat68EHqq8i6lHiifZpsxN3lxBRab\r\nThe data is then base64 decoded and passed through an unidentified generator used to create a key for the\r\ndata\r\nThe key is then used to decrypt the remaining data using AES\r\nOnce decrypted the data reveals the stage2 C2 URL https[:]//pbxsources[.]com/exchange , each icon\r\nfile contains a different URL\r\nA request is then sent to the C2 using the _tutma cookie described above and stage 3 is downloaded\r\nStage 3 was not recovered\r\nSource: https://research.openanalysis.net/3cx/northkorea/apt/triage/2023/03/30/3cx-malware.html#Functionality\r\nhttps://research.openanalysis.net/3cx/northkorea/apt/triage/2023/03/30/3cx-malware.html#Functionality\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://research.openanalysis.net/3cx/northkorea/apt/triage/2023/03/30/3cx-malware.html#Functionality" ], "report_names": [ "3cx-malware.html#Functionality" ], "threat_actors": [], "ts_created_at": 1775434801, "ts_updated_at": 1775791224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/11e28266017dead73e54e4d940fe09447df30d9d.pdf", "text": "https://archive.orkl.eu/11e28266017dead73e54e4d940fe09447df30d9d.txt", "img": "https://archive.orkl.eu/11e28266017dead73e54e4d940fe09447df30d9d.jpg" } }