XaiJu
oalabs
oalabs

patreon


Live Stream VOD: 3CX Supply Chain Attack Malware Analyzed

In this Twitch lives stream we reverse engineer the 3CX software backdoor and associated downloader chain.

Samples

Notes

3CX Supply Chain Attack: Taking a closer look at the delivery of this malware

Live Stream VOD: 3CX Supply Chain Attack Malware Analyzed

Comments

For filling the b64string (or any strings) into the buffer in x64dbg, you can select the range that equal to string lenght, then right click -> Binary -> Fill, then select String tab, paste your string to the text box and OK --> boom .. magic :D

m4n0w4r

<3 THANKS!

gdpqq

Ah my bad, here is the code that calculates the time https://imgur.com/HHmDQVq rand()% 1800000 --> random between 0 and 20days ~20hours + 604800 -> 7 days added to the calculated time so this gives use between 7 days and 27days ~20hours

OALABS

Thank you, herrcore! I actually had a question on the 7 to 20 day range from the writeup, but no worries, I realize that was not the focus of the stream. Thanks again for the quality content!

gdpqq

We didn't triage this part on stream but I took a quick look after and detailed the functionality in our notes here https://research.openanalysis.net/3cx/northkorea/apt/triage/2023/03/30/3cx-malware.html#Functionality

OALABS

Thanks for triaging this! I really enjoyed it. Quick question on the delay - isn't it ~20 days + 7 days? (up to ~27 days)?

gdpqq


More Creators