3CXDesktopApp Supply Chain Attack

This pack handles 3CXDesktopApp Supply Chain Attack investigation and response

This pack is part of the Rapid Breach Response pack.

Executive Summary

On March 29, 2023, CrowdStrike released a blog discussing a supply chain attack involving a software-based phone application called 3CXDesktopApp.

As of March 30, the 3CXDesktopApp installer hosted on the developer’s website will install the application with two malicious libraries included. The malicious libraries will ultimately run shellcode to load a backdoor on the system that allows actors to install additional malware on the victim machine.

Between March 9-30, 2023, we observed activity at 127 Cortex XDR customers that involved the 3CXDesktopApp process attempting to run shellcode, which was blocked by the XDR Agent’s In-process Shellcode Protection Module. Due to blocking the shellcode, we were unable to obtain the secondary payload used in this attack, so we cannot determine its capabilities or any post-exploitation activities carried out by the threat actor.

Pack Content

The pack contains a playbook named 3CXDesktopApp Supply Chain Attack which handles 3CXDesktopApp Supply Chain Attack investigation and response.

Playbook Flow

The playbook includes the following tasks:

Hunting:

Cortex XDR
- XQL hunting queries
Advanced SIEM queries
- Splunk
- QRadar
- Elasticsearch
- Azure Log Analytics
Indicators hunting

References:

Threat Brief: 3CXDesktopApp Supply Chain Attack

CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers

This pack is part of the Rapid Breach Response pack.

Executive Summary

On March 29, 2023, CrowdStrike released a blog discussing a supply chain attack involving a software-based phone application called 3CXDesktopApp.

Pack Content

The pack contains a playbook named 3CXDesktopApp Supply Chain Attack which handles 3CXDesktopApp Supply Chain Attack investigation and response.

Playbook Flow

The playbook includes the following tasks:

Hunting:

Cortex XDR
- XQL hunting queries
Advanced SIEM queries
- Splunk
- QRadar
- Elasticsearch
- Azure Log Analytics
Indicators hunting

References:

Threat Brief: 3CXDesktopApp Supply Chain Attack

CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers

Playbooks

Name	Description
3CXDesktopApp Supply Chain Attack	3CXDesktopApp Supply Chain Attack Executive Summary On March 29, 2023, CrowdStrike released a blog discussing a supply chain attack involving a software-based phone application called 3CXDesktopApp. As of March 30, the 3CXDesktopApp installer hosted on the developer’s website will install the application with two malicious libraries included. The malicious libraries will ultimately run shellcode to load a backdoor on the system that allows actors to install additional malware on the victim machine. Between March 9-30, 2023, we observed activity at 127 Cortex XDR customers that involved the 3CXDesktopApp process attempting to run shellcode, which was blocked by the XDR Agent’s In-process Shellcode Protection Module. Due to blocking the shellcode, we were unable to obtain the secondary payload used in this attack, so we cannot determine its capabilities or any post-exploitation activities carried out by the threat actor. Affected Products According to 3CX’s announcement, the supply chain attack involved 3CX’s Electron Windows App shipped in Update 7, version numbers 18.12.407 & 18.12.416 and Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 & 18.12.416. Playbook Flow This playbook should be triggered manually or can be configured as a job. Please create a new incident and choose the 3CXDesktopApp Supply Chain Attack playbook and Rapid Breach Response incident type. The playbook includes the following tasks: Hunting: Cortex XDR XQL hunting queries Advanced SIEM queries Splunk QRadar Elasticsearch Azure Log Analytics Indicators hunting References: Threat Brief: 3CXDesktopApp Supply Chain Attack CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Name

Description

3CXDesktopApp Supply Chain Attack

Executive Summary

On March 29, 2023, CrowdStrike released a blog discussing a supply chain attack involving a software-based phone application called 3CXDesktopApp.

Affected Products

According to 3CX’s announcement, the supply chain attack involved 3CX’s Electron Windows App shipped in Update 7, version numbers 18.12.407 & 18.12.416 and Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 & 18.12.416.

Playbook Flow

This playbook should be triggered manually or can be configured as a job. Please create a new incident and choose the 3CXDesktopApp Supply Chain Attack playbook and Rapid Breach Response incident type.

The playbook includes the following tasks:

Hunting:

Cortex XDR
- XQL hunting queries
Advanced SIEM queries
- Splunk
- QRadar
- Elasticsearch
- Azure Log Analytics
Indicators hunting

References:

Threat Brief: 3CXDesktopApp Supply Chain Attack

CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Playbooks

Name	Description
3CXDesktopApp Supply Chain Attack	3CXDesktopApp Supply Chain Attack Executive Summary On March 29, 2023, CrowdStrike released a blog discussing a supply chain attack involving a software-based phone application called 3CXDesktopApp. As of March 30, the 3CXDesktopApp installer hosted on the developer’s website will install the application with two malicious libraries included. The malicious libraries will ultimately run shellcode to load a backdoor on the system that allows actors to install additional malware on the victim machine. Between March 9-30, 2023, we observed activity at 127 Cortex XDR customers that involved the 3CXDesktopApp process attempting to run shellcode, which was blocked by the XDR Agent’s In-process Shellcode Protection Module. Due to blocking the shellcode, we were unable to obtain the secondary payload used in this attack, so we cannot determine its capabilities or any post-exploitation activities carried out by the threat actor. Affected Products According to 3CX’s announcement, the supply chain attack involved 3CX’s Electron Windows App shipped in Update 7, version numbers 18.12.407 & 18.12.416 and Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 & 18.12.416. Playbook Flow This playbook should be triggered manually or can be configured as a job. Please create a new alert and choose the 3CXDesktopApp Supply Chain Attack playbook and Rapid Breach Response alert type. The playbook includes the following tasks: Hunting: Cortex XDR XQL hunting queries Advanced SIEM queries Splunk QRadar Elasticsearch Azure Log Analytics Indicators hunting References: Threat Brief: 3CXDesktopApp Supply Chain Attack CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Name

Description

3CXDesktopApp Supply Chain Attack

Executive Summary

On March 29, 2023, CrowdStrike released a blog discussing a supply chain attack involving a software-based phone application called 3CXDesktopApp.

Affected Products

Playbook Flow

This playbook should be triggered manually or can be configured as a job. Please create a new alert and choose the 3CXDesktopApp Supply Chain Attack playbook and Rapid Breach Response alert type.

The playbook includes the following tasks:

Hunting:

Cortex XDR
- XQL hunting queries
Advanced SIEM queries
- Splunk
- QRadar
- Elasticsearch
- Azure Log Analytics
Indicators hunting

References:

Threat Brief: 3CXDesktopApp Supply Chain Attack

CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers

Required Content Packs (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Rapid Breach Response	By: Cortex XSOAR

Optional Content Packs (6)

Pack Name	Pack By
Azure Log Analytics	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Elasticsearch	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR

All level dependencies (13)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Ransomware	By: Cortex XSOAR
Identity	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Cryptocurrency	By: Cortex XSOAR
Base	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Rapid Breach Response	By: Cortex XSOAR
Asset	By: Cortex XSOAR