This pack is part of the Rapid Breach Response pack.
On March 29, 2023, CrowdStrike released a blog discussing a supply chain attack involving a software-based phone application called 3CXDesktopApp.
As of March 30, the 3CXDesktopApp installer hosted on the developer’s website will install the application with two malicious libraries included. The malicious libraries will ultimately run shellcode to load a backdoor on the system that allows actors to install additional malware on the victim machine.
Between March 9-30, 2023, we observed activity at 127 Cortex XDR customers that involved the 3CXDesktopApp process attempting to run shellcode, which was blocked by the XDR Agent’s In-process Shellcode Protection Module. Due to blocking the shellcode, we were unable to obtain the secondary payload used in this attack, so we cannot determine its capabilities or any post-exploitation activities carried out by the threat actor.
The pack contains a playbook named 3CXDesktopApp Supply Chain Attack which handles 3CXDesktopApp Supply Chain Attack investigation and response.
The playbook includes the following tasks:
- Cortex XDR
- XQL hunting queries
- Advanced SIEM queries
- Azure Log Analytics
- Indicators hunting
Threat Brief: 3CXDesktopApp Supply Chain Attack
CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers