Inspecting affected clients of 3CX DLL sideloading attack with IOTA

At the end of March 2023, a supply chain attack on VoIP manufacturer 3CX became known. Their software is used by approximately 600,000 companies and 12 million users, including Mercedes-Benz, McDonald’s, Coca-Cola, IKEA, and BMW.

3CX’s Windows and macOS desktop app (also known as Electron) was allegedly shipped with a signed but tampered library by the North Korean-controlled hacker group Lazarus. The software subsequently contacts command and control servers and downloads further malware.

In addition to the published affected version numbers, signatures, and file names of the affected libraries, the target URLs of the command and control servers are also known. These include, for example, https://akamaitechcloudservices[.]com/v2/storage and https://msedgeupdate[.]net/Windows.

Thus, it is possible to check which clients in the network are affected based on the activities in the network. The Profitap IOTA offers a simple way to evaluate this.


Analysis via the DNS Overview Dashboard

Using the DNS Dashboard, the security analyst can quickly identify which clients have queried a DNS resolution on the affected DNS records and also identify and download the TCP flow to the command and control server based on this for further analysis.

Therefore, after logging in to the IOTA web GUI, we first switch to the DNS Overview Dashboard.

Figure 1: Switch to the DNS Overview Dashboard.