Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

3CX desktop app - Apple notarized a North Korean trojan for macOS

Of course, notarisation it's an automated process, if it's a new kind of malware and it's not present in Apple database, it will just happily notarise everything.
Nothing new or scary here, it always worked like this. It's not perfect.
 
  • Like
Reactions: kitKAC
And this is the reason to prefer sandboxed apps, at least they can't read or write outside their sandbox by default, and a sandbox bypass is much harder to find than a normal app that has almost unlimited disk access by default.
 
Yes, "more". It doesn't mean it's perfect.
This was all know and discussed years ago.
 
  • Like
Reactions: kitKAC
3CX: "Following the appointment of Mandiant as our security incident response team, forensic analysis on our network and product is in progress. In a nutshell, the interim assessment concluded:"

"Mandiant also identified a MacOS backdoor, currently named SIMPLESEA, located at /Library/Graphics/Quartz (MD5: d9d19abffc2c7dac11a16745f4aea44f). Mandiant is still analysing SIMPLESEA to determine if it overlaps with another known malware family.

The backdoor written in C communicates via HTTP. Supported backdoor commands include shell command execution, file transfer, file execution, file management, and configuration updating. It can also be tasked to test the connectivity of a provided IP and port number.

The backdoor checks for the existence of its configuration file at /private/etc/apdl.cf. If it does not exist, it creates it with hard-coded values. The config file is single-byte XOR encoded with the key 0x5e. C2 comms are sent over HTTP requests. A bot id is generated randomly seeded with the PID of the malware upon initial execution. The id is sent with C2 communications. A brief host survey report is included in beacon requests. Message contents are encrypted with the A5 stream cipher according to the function names in the binary."

https://www.3cx.com/blog/news/mandiant-initial-results/
 
20 April 2023
Mandiant Consulting "3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible"
https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise
"The macOS build server was compromised with POOLRAT backdoor using Launch Daemons as a persistence mechanism."
"POOLRAT is a C/C++ macOS backdoor capable of collecting basic system information and executing commands. The commands performed include running arbitrary commands, secure deleting files, reading and writing files, updating the configuration."
 
This is a good summary of the breach from Brian Krebs, a well-established journalist who specializes in security and privacy issues:

"We learned some remarkable new details this week about the recent supply-chain attack on VoIP software provider 3CX. The lengthy, complex intrusion has all the makings of a cyberpunk spy novel: North Korean hackers using legions of fake executive accounts on LinkedIn to lure people into opening malware disguised as a job offer; malware targeting Mac and Linux users working at defense and cryptocurrency firms; and software supply-chain attacks nested within earlier supply chain attacks."
 
Patrick Wardl - "Mac'ing sense of the 3CX supply chain attack analysis of the macOS payloads"
https://www.youtube.com/watch?v=P7sKbrWV6wo
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back