{ "type": "URL", "indicator": "http://visualstudiofactory.com/groupcore", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "http://visualstudiofactory.com/groupcore", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3654589134, "indicator": "http://visualstudiofactory.com/groupcore", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "6424b50b497f4c02507674fc", "name": "Supply Chain Compromise Campaign Targeting 3CXDesktopApp Customers", "description": "On March 29, 2023, reports circulating about a potential supply chain compromise for 3CXDesktopApp \u2014 a softphone application from 3CX. The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity.", "modified": "2023-04-20T18:25:22.256000", "created": "2023-03-29T22:00:37.553000", "tags": [ "3CXDesktopApp", "Supply Chain Compromise" ], "references": [ "https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/", "https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/", "https://objective-see.org/blog/blog_0x73.html", "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats", "https://www.3cx.com/blog/news/desktopapp-security-alert/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwave-action-response-supply-chain-attack-using-3cx-pbax-software/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 457, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 110, "FileHash-SHA1": 44, "FileHash-MD5": 37, "FileHash-SHA256": 51, "URL": 31, "email": 2, "YARA": 16 }, "indicator_count": 291, "is_author": false, "is_subscribing": null, "subscriber_count": 386550, "modified_text": "1136 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6560755285e99d0da609558a", "name": " Supply Chain Compromise Campaign Targeting 3CXDesktopApp Customers", "description": "", "modified": "2023-11-24T10:05:06.579000", "created": "2023-11-24T10:05:06.579000", "tags": [ "3CXDesktopApp", "Supply Chain Compromise" ], "references": [ "https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/", "https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/", "https://objective-see.org/blog/blog_0x73.html", "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats", "https://www.3cx.com/blog/news/desktopapp-security-alert/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwave-action-response-supply-chain-attack-using-3cx-pbax-software/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" } ], "industries": [], "TLP": "white", "cloned_from": "642d00c2ff00ca0c69739717", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "santravault1", "id": "217419", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217419/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 112, "FileHash-SHA1": 44, "FileHash-MD5": 37, "FileHash-SHA256": 51, "URL": 31, "email": 2 }, "indicator_count": 277, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "919 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64276a557aaf8592b056bf30", "name": "InQuest - 31-03-2023", "description": "", "modified": "2023-04-30T23:01:04.745000", "created": "2023-03-31T23:18:45.769000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 297, "FileHash-MD5": 40, "URL": 1648, "domain": 1073, "hostname": 228, "FileHash-SHA1": 41 }, "indicator_count": 3327, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6426187046ac3cff229e86f1", "name": "InQuest - 30-03-2023", "description": "", "modified": "2023-04-29T23:04:49.088000", "created": "2023-03-30T23:17:04.149000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 92, "FileHash-MD5": 35, "URL": 1606, "domain": 1128, "hostname": 226, "FileHash-SHA1": 34 }, "indicator_count": 3121, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64352c65c4f75df9e7a93fcd", "name": "Caution When Using 3CX DesktopApp (CVE-2023-29059) - ASEC BLOG", "description": "A security flaw in the 3CX DesktopApp has been identified and the company is preparing to issue a new certificate to protect users from the threat. \u00c2\u00a32.5m of malware.", "modified": "2023-04-11T09:46:13.718000", "created": "2023-04-11T09:46:13.718000", "tags": [ "asd", "ahnlab", "windows", "c server", "march", "infostealer", "desktopapp", "ed fa", "c addresses", "crowdstrike", "north korea", "defense", "inside", "downloader", "c5403102", "c5403110", "c5403954", "osx.agent", "overview", "update", "electron macos", "solution guide", "windows key", "type" ], "references": [ "https://asec.ahnlab.com/en/50919/", "https://asec.ahnlab.com/en/51090/" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Republic of" ], "malware_families": [ { "id": "ASD", "display_name": "ASD", "target": null }, { "id": "OSX.Agent", "display_name": "OSX.Agent", "target": null }, { "id": "C5403954", "display_name": "C5403954", "target": null }, { "id": "C5403110", "display_name": "C5403110", "target": null }, { "id": "C5403102", "display_name": "C5403102", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jeffchandy", "id": "215558", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_215558/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 31, "domain": 21, "URL": 29 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "1146 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6433d439006a90a6129ee18b", "name": "3CX DesktopApp Supply Chain Attack Also Detected in Korea - ASEC BLOG", "description": "A supply chain attack through 3CX DesktopApp has been detected in North Korea, and this post will provide an analysis of the malware used in the attacks and their infection in Korea. and other countries.", "modified": "2023-04-10T09:17:45.269000", "created": "2023-04-10T09:17:45.269000", "tags": [ "asd", "ahnlab", "windows", "c server", "march", "infostealer", "desktopapp", "ed fa", "c addresses", "crowdstrike", "north korea", "defense", "inside", "downloader" ], "references": [ "https://asec.ahnlab.com/en/51090/" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Republic of" ], "malware_families": [ { "id": "ASD", "display_name": "ASD", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 31, "CVE": 1, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 13, "domain": 15 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1147 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "642d1ad834cda6e17119e63a", "name": "Threat Brief: 3CXDesktopApp Supply Chain Attack", "description": "", "modified": "2023-04-05T06:53:12.924000", "created": "2023-04-05T06:53:12.924000", "tags": [ "macos", "windows", "xpanse", "windows variant", "march", "c2 url", "xdr agent", "unit", "supply chain", "github account", "urls", "installer", "attack", "win64", "malicious" ], "references": [ "https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/#post-127495-_ydqdbjg0dngh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Xpanse", "display_name": "Xpanse", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": "642bb4c5c5e4b090915345ea", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 43, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 25, "domain": 21 }, "indicator_count": 109, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "1152 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "642d17c3e76ffcb81396f410", "name": "Threat Brief: 3CXDesktopApp Supply Chain Attack", "description": "", "modified": "2023-04-05T06:40:03.426000", "created": "2023-04-05T06:40:03.426000", "tags": [ "macos", "windows", "xpanse", "windows variant", "march", "c2 url", "xdr agent", "unit", "supply chain", "github account", "urls", "installer", "attack", "win64", "malicious" ], "references": [ "https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/#post-127495-_ydqdbjg0dngh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Xpanse", "display_name": "Xpanse", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": "642bb4c694ab8e68d7bbaf94", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 43, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 25, "domain": 21 }, "indicator_count": 109, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "1152 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "642bb4c694ab8e68d7bbaf94", "name": "Threat Brief: 3CXDesktopApp Supply Chain Attack", "description": "", "modified": "2023-04-05T06:38:58.325000", "created": "2023-04-04T05:25:26.118000", "tags": [ "macos", "windows", "xpanse", "windows variant", "march", "c2 url", "xdr agent", "unit", "supply chain", "github account", "urls", "installer", "attack", "win64", "malicious" ], "references": [ "https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/#post-127495-_ydqdbjg0dngh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Xpanse", "display_name": "Xpanse", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": "6426bb29394406a396d6fbcc", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 43, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 25, "domain": 21 }, "indicator_count": 109, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1152 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "642d00c2ff00ca0c69739717", "name": "Supply Chain Compromise Campaign Targeting 3CXDesktopApp Customers", "description": "", "modified": "2023-04-05T05:01:54.722000", "created": "2023-04-05T05:01:54.722000", "tags": [ "3CXDesktopApp", "Supply Chain Compromise" ], "references": [ "https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/", "https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/", "https://objective-see.org/blog/blog_0x73.html", "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats", "https://www.3cx.com/blog/news/desktopapp-security-alert/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwave-action-response-supply-chain-attack-using-3cx-pbax-software/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" } ], "industries": [], "TLP": "white", "cloned_from": "642bb4a40ea67c24c43ff3b0", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 112, "FileHash-SHA1": 44, "FileHash-MD5": 37, "FileHash-SHA256": 51, "URL": 31, "email": 2 }, "indicator_count": 277, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "1152 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "642d00856b7931d1347e7f28", "name": "Threat Brief: 3CXDesktopApp Supply Chain Attack", "description": "", "modified": "2023-04-05T05:00:53.418000", "created": "2023-04-05T05:00:53.418000", "tags": [ "macos", "windows", "xpanse", "windows variant", "march", "c2 url", "xdr agent", "unit", "supply chain", "github account", "urls", "installer", "attack", "win64", "malicious" ], "references": [ "https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/#post-127495-_ydqdbjg0dngh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Xpanse", "display_name": "Xpanse", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": "642bb4c694ab8e68d7bbaf94", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 43, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 25, "domain": 21 }, "indicator_count": 109, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "1152 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "642bb4c5c5e4b090915345ea", "name": "Threat Brief: 3CXDesktopApp Supply Chain Attack", "description": "", "modified": "2023-04-04T05:25:25.428000", "created": "2023-04-04T05:25:25.428000", "tags": [ "macos", "windows", "xpanse", "windows variant", "march", "c2 url", "xdr agent", "unit", "supply chain", "github account", "urls", "installer", "attack", "win64", "malicious" ], "references": [ "https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/#post-127495-_ydqdbjg0dngh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Xpanse", "display_name": "Xpanse", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": "6426bb29394406a396d6fbcc", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 43, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 25, "domain": 21 }, "indicator_count": 109, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1153 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "642bb4a40ea67c24c43ff3b0", "name": "Supply Chain Compromise Campaign Targeting 3CXDesktopApp Customers", "description": "", "modified": "2023-04-04T05:24:52.128000", "created": "2023-04-04T05:24:52.128000", "tags": [ "3CXDesktopApp", "Supply Chain Compromise" ], "references": [ "https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/", "https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/", "https://objective-see.org/blog/blog_0x73.html", "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats", "https://www.3cx.com/blog/news/desktopapp-security-alert/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwave-action-response-supply-chain-attack-using-3cx-pbax-software/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" } ], "industries": [], "TLP": "white", "cloned_from": "6424b50b497f4c02507674fc", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 112, "FileHash-SHA1": 44, "FileHash-MD5": 37, "FileHash-SHA256": 51, "URL": 31, "email": 2 }, "indicator_count": 277, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1153 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6426bb29394406a396d6fbcc", "name": "Threat Brief: 3CXDesktopApp Supply Chain Attack", "description": "A supply chain attack involving a software-based phone application called 3CXDesktopApp is being investigated by CrowdStrike Unit 42, a security firm based in Hong Kong, and the University of South Korea.", "modified": "2023-03-31T10:51:21.919000", "created": "2023-03-31T10:51:21.919000", "tags": [ "macos", "windows", "xpanse", "windows variant", "march", "c2 url", "xdr agent", "unit", "supply chain", "github account", "urls", "installer", "attack", "win64", "malicious" ], "references": [ "https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/#post-127495-_ydqdbjg0dngh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Xpanse", "display_name": "Xpanse", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 43, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 25, "domain": 21 }, "indicator_count": 109, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1157 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.3cx.com/blog/news/desktopapp-security-alert/", "https://labs.inquest.net/iocdb", "https://objective-see.org/blog/blog_0x73.html", "https://asec.ahnlab.com/en/50919/", "https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/", "https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/#post-127495-_ydqdbjg0dngh", "https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwave-action-response-supply-chain-attack-using-3cx-pbax-software/", "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/", "https://asec.ahnlab.com/en/51090/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 128 }, "other": { "adversary": [], "malware_families": [ "C5403102", "Macos", "Windows", "Osx.agent", "Asd", "C5403110", "Xpanse", "C5403954" ], "industries": [], "unique_indicators": 5579 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/visualstudiofactory.com", "whois": "http://whois.domaintools.com/visualstudiofactory.com", "domain": "visualstudiofactory.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "6424b50b497f4c02507674fc", "name": "Supply Chain Compromise Campaign Targeting 3CXDesktopApp Customers", "description": "On March 29, 2023, reports circulating about a potential supply chain compromise for 3CXDesktopApp \u2014 a softphone application from 3CX. The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity.", "modified": "2023-04-20T18:25:22.256000", "created": "2023-03-29T22:00:37.553000", "tags": [ "3CXDesktopApp", "Supply Chain Compromise" ], "references": [ "https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/", "https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/", "https://objective-see.org/blog/blog_0x73.html", "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats", "https://www.3cx.com/blog/news/desktopapp-security-alert/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwave-action-response-supply-chain-attack-using-3cx-pbax-software/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 457, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 110, "FileHash-SHA1": 44, "FileHash-MD5": 37, "FileHash-SHA256": 51, "URL": 31, "email": 2, "YARA": 16 }, "indicator_count": 291, "is_author": false, "is_subscribing": null, "subscriber_count": 386550, "modified_text": "1136 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6560755285e99d0da609558a", "name": " Supply Chain Compromise Campaign Targeting 3CXDesktopApp Customers", "description": "", "modified": "2023-11-24T10:05:06.579000", "created": "2023-11-24T10:05:06.579000", "tags": [ "3CXDesktopApp", "Supply Chain Compromise" ], "references": [ "https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/", "https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/", "https://objective-see.org/blog/blog_0x73.html", "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats", "https://www.3cx.com/blog/news/desktopapp-security-alert/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwave-action-response-supply-chain-attack-using-3cx-pbax-software/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" } ], "industries": [], "TLP": "white", "cloned_from": "642d00c2ff00ca0c69739717", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "santravault1", "id": "217419", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217419/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 112, "FileHash-SHA1": 44, "FileHash-MD5": 37, "FileHash-SHA256": 51, "URL": 31, "email": 2 }, "indicator_count": 277, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "919 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64276a557aaf8592b056bf30", "name": "InQuest - 31-03-2023", "description": "", "modified": "2023-04-30T23:01:04.745000", "created": "2023-03-31T23:18:45.769000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 297, "FileHash-MD5": 40, "URL": 1648, "domain": 1073, "hostname": 228, "FileHash-SHA1": 41 }, "indicator_count": 3327, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6426187046ac3cff229e86f1", "name": "InQuest - 30-03-2023", "description": "", "modified": "2023-04-29T23:04:49.088000", "created": "2023-03-30T23:17:04.149000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 92, "FileHash-MD5": 35, "URL": 1606, "domain": 1128, "hostname": 226, "FileHash-SHA1": 34 }, "indicator_count": 3121, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64352c65c4f75df9e7a93fcd", "name": "Caution When Using 3CX DesktopApp (CVE-2023-29059) - ASEC BLOG", "description": "A security flaw in the 3CX DesktopApp has been identified and the company is preparing to issue a new certificate to protect users from the threat. \u00c2\u00a32.5m of malware.", "modified": "2023-04-11T09:46:13.718000", "created": "2023-04-11T09:46:13.718000", "tags": [ "asd", "ahnlab", "windows", "c server", "march", "infostealer", "desktopapp", "ed fa", "c addresses", "crowdstrike", "north korea", "defense", "inside", "downloader", "c5403102", "c5403110", "c5403954", "osx.agent", "overview", "update", "electron macos", "solution guide", "windows key", "type" ], "references": [ "https://asec.ahnlab.com/en/50919/", "https://asec.ahnlab.com/en/51090/" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Republic of" ], "malware_families": [ { "id": "ASD", "display_name": "ASD", "target": null }, { "id": "OSX.Agent", "display_name": "OSX.Agent", "target": null }, { "id": "C5403954", "display_name": "C5403954", "target": null }, { "id": "C5403110", "display_name": "C5403110", "target": null }, { "id": "C5403102", "display_name": "C5403102", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jeffchandy", "id": "215558", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_215558/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 31, "domain": 21, "URL": 29 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "1146 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6433d439006a90a6129ee18b", "name": "3CX DesktopApp Supply Chain Attack Also Detected in Korea - ASEC BLOG", "description": "A supply chain attack through 3CX DesktopApp has been detected in North Korea, and this post will provide an analysis of the malware used in the attacks and their infection in Korea. and other countries.", "modified": "2023-04-10T09:17:45.269000", "created": "2023-04-10T09:17:45.269000", "tags": [ "asd", "ahnlab", "windows", "c server", "march", "infostealer", "desktopapp", "ed fa", "c addresses", "crowdstrike", "north korea", "defense", "inside", "downloader" ], "references": [ "https://asec.ahnlab.com/en/51090/" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Republic of" ], "malware_families": [ { "id": "ASD", "display_name": "ASD", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 31, "CVE": 1, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 13, "domain": 15 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1147 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "642d1ad834cda6e17119e63a", "name": "Threat Brief: 3CXDesktopApp Supply Chain Attack", "description": "", "modified": "2023-04-05T06:53:12.924000", "created": "2023-04-05T06:53:12.924000", "tags": [ "macos", "windows", "xpanse", "windows variant", "march", "c2 url", "xdr agent", "unit", "supply chain", "github account", "urls", "installer", "attack", "win64", "malicious" ], "references": [ "https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/#post-127495-_ydqdbjg0dngh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Xpanse", "display_name": "Xpanse", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": "642bb4c5c5e4b090915345ea", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 43, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 25, "domain": 21 }, "indicator_count": 109, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "1152 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "642d17c3e76ffcb81396f410", "name": "Threat Brief: 3CXDesktopApp Supply Chain Attack", "description": "", "modified": "2023-04-05T06:40:03.426000", "created": "2023-04-05T06:40:03.426000", "tags": [ "macos", "windows", "xpanse", "windows variant", "march", "c2 url", "xdr agent", "unit", "supply chain", "github account", "urls", "installer", "attack", "win64", "malicious" ], "references": [ "https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/#post-127495-_ydqdbjg0dngh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Xpanse", "display_name": "Xpanse", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": "642bb4c694ab8e68d7bbaf94", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 43, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 25, "domain": 21 }, "indicator_count": 109, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "1152 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "642bb4c694ab8e68d7bbaf94", "name": "Threat Brief: 3CXDesktopApp Supply Chain Attack", "description": "", "modified": "2023-04-05T06:38:58.325000", "created": "2023-04-04T05:25:26.118000", "tags": [ "macos", "windows", "xpanse", "windows variant", "march", "c2 url", "xdr agent", "unit", "supply chain", "github account", "urls", "installer", "attack", "win64", "malicious" ], "references": [ "https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/#post-127495-_ydqdbjg0dngh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Xpanse", "display_name": "Xpanse", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": "6426bb29394406a396d6fbcc", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 43, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 25, "domain": 21 }, "indicator_count": 109, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1152 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "642d00c2ff00ca0c69739717", "name": "Supply Chain Compromise Campaign Targeting 3CXDesktopApp Customers", "description": "", "modified": "2023-04-05T05:01:54.722000", "created": "2023-04-05T05:01:54.722000", "tags": [ "3CXDesktopApp", "Supply Chain Compromise" ], "references": [ "https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/", "https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/", "https://objective-see.org/blog/blog_0x73.html", "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats", "https://www.3cx.com/blog/news/desktopapp-security-alert/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwave-action-response-supply-chain-attack-using-3cx-pbax-software/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" } ], "industries": [], "TLP": "white", "cloned_from": "642bb4a40ea67c24c43ff3b0", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 112, "FileHash-SHA1": 44, "FileHash-MD5": 37, "FileHash-SHA256": 51, "URL": 31, "email": 2 }, "indicator_count": 277, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "1152 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "http://visualstudiofactory.com/groupcore", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "http://visualstudiofactory.com/groupcore", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780245506.612108 }