SOC Incident Toolkit
Back to Campaigns
Unleashing the Threat: Inside the SmoothOperator Supply Chain Attack on 3CX VOIP Desktop Client

Unleashing the Threat: Inside the SmoothOperator Supply Chain Attack on 3CX VOIP Desktop Client

SmoothOperator3CXSupply Chain AttackVoIP IPBX

A new supply chain attack called SmoothOperator is currently targeting 3CX's VoIP desktop client, which could cause significant impact due to the company's diverse and valued customer profile. The attackers use a trojanized version of the software to steal information from Windows and macOS users.

Indicators of Compromise

Domains (19)

azureonlinecloud.comzacharryblogs.comjournalide.orgsourceslabs.comakamaicontainer.comofficeaddons.compbxphonenetwork.commsedgepackageinfo.comdunamistrd.comazuredeploystore.compbxsources.comvisualstudiofactory.comakamaitechcloudservices.commsstorageboxes.comsbmsa.wikipbxcloudeservices.commsstorageazure.comazureonlinestorage.comglcloudservice.com

Hashes (10)

a60a61bf844bc181d4540c9fac53203250a982e7c3ad6153869f01e19cc3620359e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c09835d99efa36f34aa6b43cd81e77544961c5c8d692c96059fef92c2df2624550734d45674f941be3cca2fbc1af42778043cc18cd86d95a2ecb9e6f0e212ed4c74aeaa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d8685407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed31429092005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcecb86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb54004dfaa48ca5fa91e3304fb99559a2395301c570026450882d6aad89132a02

APT Groups

Lazarus Group

Korea, Democratic People's Republic of

Mitigation

<table style="color: rgb(0, 0, 0); font-family: Lora, serif; font-size: 16px; box-sizing: border-box; border-collapse: collapse; border-spacing: 0px; border-width: 1px 0px 0px 1px; margin: 0px 0px 1.5em; width: 879.787px;"><tbody style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.5em; border: 1px solid;"><span style="box-sizing: border-box; font-weight: 700;">Tactic</span></td><td style="box-sizing: border-box; padding: 0.5em; border: 1px solid;"><span style="box-sizing: border-box; font-weight: 700;">Technique ID</span><span style="box-sizing: border-box; font-weight: 700;"> </span><span style="box-sizing: border-box; font-weight: 700;">&nbsp;</span></td><td style="box-sizing: border-box; padding: 0.5em; border: 1px solid;"><span style="box-sizing: border-box; font-weight: 700;">Technique Name</span><span style="box-sizing: border-box; font-weight: 700;"> </span><span style="box-sizing: border-box; font-weight: 700;">&nbsp;</span></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.5em; border: 1px solid;"><span style="box-sizing: border-box; font-weight: 700;">Initial Access&nbsp;</span><span style="box-sizing: border-box; font-weight: 700;"></span></td><td style="box-sizing: border-box; padding: 0.5em; border: 1px solid;"><a href="https://attack.mitre.org/techniques/T1195/" style="box-sizing: border-box; background-color: transparent; color: rgb(30, 115, 190); transition: all 0.2s linear 0s; word-break: break-word; box-shadow: none;">T1195</a></td><td style="box-sizing: border-box; padding: 0.5em; border: 1px solid;">Supply Chain Compromise</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.5em; border: 1px solid;"><span style="box-sizing: border-box; font-weight: 700;">Execution</span></td><td style="box-sizing: border-box; padding: 0.5em; border: 1px solid;"><a href="https://attack.mitre.org/techniques/T1204/002/" style="box-sizing: border-box; background-color: transparent; color: rgb(30, 115, 190); transition: all 0.2s linear 0s; word-break: break-word; box-shadow: none;">T1204.002</a></td><td style="box-sizing: border-box; padding: 0.5em; border: 1px solid;">User Execution: Malicious File</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.5em; border: 1px solid;"><span style="box-sizing: border-box; font-weight: 700;">Defense Evasion</span><span style="box-sizing: border-box; font-weight: 700;"></span></td><td style="box-sizing: border-box; padding: 0.5em; border: 1px solid;"><a href="https://attack.mitre.org/techniques/T1140/" style="box-sizing: border-box; background-color: transparent; color: rgb(30, 115, 190); transition: all 0.2s linear 0s; word-break: break-word; box-shadow: none;">T1140</a><br style="box-sizing: border-box;"><a href="https://attack.mitre.org/techniques/T1027/" style="box-sizing: border-box; background-color: transparent; color: rgb(30, 115, 190); transition: all 0.2s linear 0s; word-break: break-word; box-shadow: none;">T1027</a><br style="box-sizing: border-box;"><a href="https://attack.mitre.org/techniques/T1574/002/" style="box-sizing: border-box; background-color: transparent; color: rgb(30, 115, 190); transition: all 0.2s linear 0s; word-break: break-word; box-shadow: none;">T1574.002</a>&nbsp;<a href="https://attack.mitre.org/techniques/T1497/003/" style="box-sizing: border-box; background-color: transparent; color: rgb(30, 115, 190); transition: all 0.2s linear 0s; word-break: break-word; box-shadow: none;">T1497.003</a></td><td style="box-sizing: border-box; padding: 0.5em; border: 1px solid;">Deobfuscate/Decode Files or Information<br style="box-sizing: border-box;">Obfuscated Files or Information<br style="box-sizing: border-box;">Hijack Execution Flow: DLL Side-Loading Virtualization/Sandbox Evasion: Time-Based Evasion</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.5em; border: 1px solid;"><span style="box-sizing: border-box; font-weight: 700;">Credential Access</span><span style="box-sizing: border-box; font-weight: 700;"> </span><span style="box-sizing: border-box; font-weight: 700;">&nbsp;</span><span style="box-sizing: border-box; font-weight: 700;"></span></td><td style="box-sizing: border-box; padding: 0.5em; border: 1px solid;"><a href="https://attack.mitre.org/techniques/T1555/" target="_blank" rel="noreferrer noopener" style="box-sizing: border-box; background-color: transparent; color: rgb(30, 115, 190); transition: all 0.2s linear 0s; word-break: break-word; box-shadow: none;">T1555</a><br style="box-sizing: border-box;"><a href="https://attack.mitre.org/techniques/T1539/" target="_blank" rel="noreferrer noopener" style="box-sizing: border-box; background-color: transparent; color: rgb(30, 115, 190); transition: all 0.2s linear 0s; word-break: break-word; box-shadow: none;">T1539</a> &nbsp;</td><td style="box-sizing: border-box; padding: 0.5em; border: 1px solid;">Credentials from Password Stores &nbsp;<br style="box-sizing: border-box;">Steal Web Session Cookie &nbsp;</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.5em; border: 1px solid;"><span style="box-sizing: border-box; font-weight: 700;">Command and Control</span><span style="box-sizing: border-box; font-weight: 700;"></span></td><td style="box-sizing: border-box; padding: 0.5em; border: 1px solid;"><a href="https://attack.mitre.org/techniques/T1071/" style="box-sizing: border-box; background-color: transparent; color: rgb(30, 115, 190); transition: all 0.2s linear 0s; word-break: break-word; box-shadow: none;">T1071</a></td><td style="box-sizing: border-box; padding: 0.5em; border: 1px solid;">Application Layer Protocol</td></tr></tbody></table>