{"id":16538,"date":"2023-03-31T17:44:16","date_gmt":"2023-03-31T15:44:16","guid":{"rendered":"https:\/\/www.nextron-systems.com\/?p=16538"},"modified":"2024-04-12T16:33:25","modified_gmt":"2024-04-12T14:33:25","slug":"using-thor-lite-to-scan-for-indicators-of-lazarus-activity-related-to-the-3cx-compromise","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2023\/03\/31\/using-thor-lite-to-scan-for-indicators-of-lazarus-activity-related-to-the-3cx-compromise\/","title":{"rendered":"Using THOR Lite to scan for indicators of Lazarus activity related to the 3CX compromise"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.19.4″ _module_preset=”default” da_disable_devices=”off|off|off” global_colors_info=”{}” da_is_popup=”off” da_exit_intent=”off” da_has_close=”on” da_alt_close=”off” da_dark_close=”off” da_not_modal=”on” da_is_singular=”off” da_with_loader=”off” da_has_shadow=”on”][et_pb_row _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

<\/blockquote>\n

On March 29, 2023 CrowdStrike detected<\/a> malicious activity, originating from a legitimate, signed binary called 3CXDesktopApp. The binary is part of a softphone system developed by 3CX<\/a>.
The observed malicious activity consisted of beaconing to infrastructure controlled by the actors, leading to the deployment of second-stage payloads and in a few cases direct on-keyboard activity from the attackers.<\/span><\/span><\/p>\n

You can find more information on the threat in the following articles by CrowdStrike, Volexity and Huntress Labs:<\/span><\/p>\n

<\/blockquote>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”1_3,1_3,1_3″ _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”1_3″ _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}”][et_pb_blurb title=”CrowdStrike Report” url=”https:\/\/www.crowdstrike.com\/blog\/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers\/” image=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-31-at-13.52.35.png” _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

The first report on the activity linking it to LABYRINTH CHOLLIMA aka Lazarus group.<\/p>\n

[\/et_pb_blurb][\/et_pb_column][et_pb_column type=”1_3″ _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}”][et_pb_blurb title=”Volexity Article” url=”https:\/\/www.volexity.com\/blog\/2023\/03\/30\/3cx-supply-chain-compromise-leads-to-iconic-incident\/” image=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-31-at-14.42.20.png” _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

This article by Volexity lists a lot of indicators and reports on the final stage in form of the stealer ICONIC<\/p>\n

[\/et_pb_blurb][\/et_pb_column][et_pb_column type=”1_3″ _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}”][et_pb_blurb title=”Huntress Labs Article” url=”https:\/\/www.huntress.com\/blog\/3cx-voip-software-compromise-supply-chain-threats” image=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-31-at-14.45.05.png” _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Huntress Labs report on the activity including process patterns, rules and IOCs<\/p>\n

[\/et_pb_blurb][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

After the compromise became first known, we began our own investigation and in the following few hours released a number of detection rules to our public repositories.<\/p>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-31-at-18.08.31.png” title_text=”Screenshot 2023-03-31 at 18.08.31″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

While having the detection in place is a great start, often times it’s not an easy task to assess the situation and make sure that no system in the network is affected by the threat.<\/p>\n

One way to leverage these rules and quickly scan your own environment for free, is using THOR Lite scanner.<\/p>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”3_5,2_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”3_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Enter THOR Lite<\/span><\/h1>\n

THOR Lite is the reduced version of our compromise assessment scanner THOR. It uses YARA rules and Indicators of Compromise (IOC) like hash values and file names to detect malicious activity.\u00a0<\/span><\/p>\n

In this technical blog article, we’ll explore how to levreage THOR Lite to scan end systems for signs of malicious activity related to the 3CX compromise. <\/span><\/p>\n

We’ll also discuss the various types of indicators that THOR Lite can detect, walk through the process of setting up and configuring the tool, and provide tips for interpreting the scan results.<\/span><\/p>\n

By the end of this article, you should have a solid understanding of how to use THOR Lite to run a compromise assessments within your network.<\/span><\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”2_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-31-at-14.51.18.png” title_text=”Screenshot 2023-03-31 at 14.51.18″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”2_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Download THOR Lite<\/h1>\n

Visit the product page,<\/a> subscribe to the newsletter to get the program package and the license file.<\/p>\n

(note: we offer a special license file to 3CX customers that enables an additional module from the full version to extend the detection coverage even more)<\/p>\n

You can download this special license here: (expires 30.04.2023)\u00a0<\/p>\n

[\/et_pb_text][et_pb_button button_url=”https:\/\/www.nextron-systems.com\/certs\/3cx.lic” url_new_window=”on” button_text=”Download 3cx.lic” _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_button][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-31-at-15.15.03.png” title_text=”Screenshot 2023-03-31 at 15.15.03″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Email content:<\/p>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-31-at-15.18.55.png” title_text=”Screenshot 2023-03-31 at 15.18.55″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”2_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Getting Started<\/h1>\n

After you’ve downloaded the program package as a ZIP archive, extract it and place the license file (.lic) in the program folder.<\/p>\n

Double click on the “thor64-lite.exe”<\/strong> to run it without any flags or open a Windows command line as an administrator and navigate to the folder where you’ve extracted the program package.<\/p>\n

You should then see the scan window that closes automatically when the scan is complete. Usually scans take between 1-4 hours, but there are some ways to speed up the scan.<\/p>\n

 <\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-31-at-16.17.04.png” title_text=”Screenshot 2023-03-31 at 16.17.04″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-31-at-16.21.11.png” title_text=”Screenshot 2023-03-31 at 16.21.11″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Flags to Consider<\/h1>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”3_5,2_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”3_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

--nosoft --nolowprio<\/pre>\n
[\/et_pb_text][\/et_pb_column][et_pb_column type=”2_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
If you’re scanning virtual machines or systems that are under a constant high load by other processes, it could be helpful to use the “–nosoft”<\/em> and “–nolowprio”<\/em> flags to let THOR run with the same process priority as any other regular process.<\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”3_5,2_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”3_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
--lookback 150 --global-lookback<\/pre>\n
[\/et_pb_text][\/et_pb_column][et_pb_column type=”2_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
If you’re interested in scanning recently created files and log entries. These flags instruct THOR to only scan elements created or changed within the last 150 days (why 150?<\/a>). It would ignore any file or eventlog entry older than that and thus scan a much smaller set of elements.<\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”3_5,2_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”3_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
--cpulimit 30<\/pre>\n
[\/et_pb_text][\/et_pb_column][et_pb_column type=”2_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
To minimize the impact for the end user working on a system while it is getting scanned, you can reduce the CPU usage of the scanner to e.g. 30% to avoid them taking notice of the scan by reducing the overall load and fan noise.<\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.20.2″ _module_preset=”default” min_height=”222.2px” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
Recommended CommandLine Flags For The 3CX Use Case<\/h1>\n
If a normal scan takes too long, we recommend the following command line flags in order to reduce the scan duration by restricting the scan to the changes of the last 150 days:<\/p>\n
thor64-lite.exe --nolowprio --lookback 150 --global-lookback<\/pre>\n
[\/et_pb_text][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
In order to reduce the CPU usage and make it as imperceptible as possible to the end user working on the scanned systems use the following command:<\/p>\n
thor64-lite.exe --lookback 150 --global-lookback --cpulimit 35<\/pre>\n
[\/et_pb_text][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
Update the Signatures<\/h1>\n
We’re constantly working on enhancing and updating the signatures related to the 3CX compromise. Updates are to be expected over the weekend and next week. To make sure THOR always works with the newest set of signatures use the following command:<\/p>\n
thor-lite-util.exe upgrade<\/pre>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
Interpreting the Scan Results<\/h1>\n
During the scan you’ll see several messages in green and blue colours. Warning and alert messages use a yellow or red color. But don’t worry when you notice a message of that color. Remember that THOR is a scanner that highlights malicious and suspicious elements for review by an administrator or forensic analyst. Not everything shown as a “warning” message has to be a real threat.<\/p>\n
[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-31-at-17.19.16.png” title_text=”Screenshot 2023-03-31 at 17.19.16″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” custom_padding=”0px|||||” global_colors_info=”{}”]<\/p>\n
After the scan finishes, users can find an HTML report in the program folder that lists all findings.\u00a0<\/p>\n
[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-31-at-17.27.02.png” title_text=”Screenshot 2023-03-31 at 17.27.02″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
We recommend searching the HTML report for the “3CX” keyword and only review matches with the specific IOCs and YARA rules related to this activity.<\/p>\n
[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-31-at-17.25.17.png” title_text=”Screenshot 2023-03-31 at 17.25.17″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
THOR Lite is able to detect various forensic artefacts:<\/p>\n