In late March 2023, VoIP manufacturer 3CX, developer of the popular Voice over Internet Protocol (VoIP) private branch exchange (PBX) phone system, was hit with a DLL sideloading attack. Their software is used by some 600,000 companies and 12 million users, including Mercedes-Benz, McDonald's, Coca-Cola, IKEA, and BMW, among others.
What is a DLL sideloading attack
DLL sideloading is a type of attack that injects malicious code into legitimate applications. This happens when a malicious DLL is placed in the same folder as a legitimate application, and the application loads the malicious DLL instead of the legitimate one. This type of attack allows malicious code to be executed while the application is running, allowing the attacker to gain access to the system or perform malicious activities. The best way to prevent this type of attack is to ensure that only authorized DLLs are loaded in the application folder, that all DLLs are regularly scanned for malicious code, and that the application is not run from an untrusted source. Also, it's important to make sure the application is up to date with security patches.
3CX’s desktop application for Windows and macOS, also known as Electron, allegedly comes with a tampered library signed by the North Korean-controlled hacking group Lazarus. The software then contacts the command and control server and downloads further malware.
In addition to the affected version numbers, signatures, and filenames of the published affected libraries, the command and control server's target URL is also known. For example, these include:
https://akamaitechcloudservices[.]com/v2/storage and https://msedgeupdate[.]net/Windows.
Therefore, it is possible to check which clients in the network are affected based on the activity in the network. Hongke IOTA provides a simple evaluation method.
How to use IOTA for analysis
Analyze with DNS Overview Dashboard
Using DNS Dashboard, security analysts can quickly identify which clients queried DNS resolution for affected DNS records, and based on that, identify TCP streams and download them to the command and control server for further analysis.
So, after logging into the IOTA web GUI, we first switch to the DNS overview panel.
Figure 1: Switch to the DNS overview panel
In Figure 2, we filter the FQDN akamaitechcloudservices[.]com using the “Search DNS” feature. We can see that a client has queried this FQDN to the DNS server 192.168.178.1.
Figure 2: Filtered by the “Search DNS” function of the DNS Overview Dashboard on FQDN akamaitechcloudservices.com
We then scroll down this dashboard and expand the relevant processes. We can identify the infected client in the "Client IP" column with the value 192.168.178.22. This client contacted the command and control server named in the search field. To perform further analysis, the associated TCP flows can also be downloaded in the Download column on the left.
Figure 3: Schematic diagram of the related process. In this case, the TCP flow to the example host 192.0.2.1
Further target FQDNs can be evaluated using different search queries and, if required, the time range selection can be adjusted.
Additional functions of Hongke IOTA
The DNS overview dashboard provides a good overview and quick filtering of DNS queries. Additionally, it provides a list of related streams, including timestamps, with the possibility to download them for deeper analysis.
