“PBX software makes an attractive supply chain target for actors in addition to monitoring an organization’s communications, actors can modify call routing or broker connections into voice services from the outside,” SentinelOne said.
The information stealer can gather system information and sensitive data stored in Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox browsers. Sophos notes that the DLL side loading is designed in such a way that the users will not realize any difference while using the application. Similarly, Crowdstrike, found that the malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity. “The trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from GitHub and ultimately leads to a 3rd stage infostealer DLL still being analyzed as of the time of writing,” SentinelOne said. Researchers said it is a chain attack that in its first stage takes advantage of the DLL side-loading technique to load a malicious DLL that’s designed to retrieve an icon file payload.
0 kommentar(er)
