Menu Close

[ Intelligence ] (TLP: CLEAR) CISA Releases Malware Analysis Report on ICONICSTEALER

TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/

Summary: CISA has released a new Malware Analysis Report (MAR) on an infostealer known as ICONICSTEALER. This trojan has been identified as a variant of malware used in the supply chain attack against 3CX’s Desktop App.

CISA recommends users and administrators to review the following resources for more information, and hunt for the listed indicators of compromise (IOCs) for potential malicious activity: hxxps://www.cisa[.]gov/news-events/analysis-reports/ar23-110a

NYSIC CAU Analyst Note: NYSIC CAU issued a threat report on March 30, 2023 concerning the initial reporting of the supply chain attack against the 3CX Desktop App. 

Cybersecurity research company Mandiant published on it’s blog (weblink below) a report detailing how the suspected North Korean supply-chain attack on clients of the enterprise phone company 3CX began with another upstream, third party supply-chain attack.  The report goes on to say how initial compromise of 3CX’s network came via malicious software downloaded from the website of the software company Trading Technologies.  Mandiant said the incident was the first time it has seen a software supply-chain attack — when a threat actor compromises a victim’s network by gaining access to a trusted third party that is already present in the network — to another software supply-chain attack.  In this instance, the hackers used their access to a Trading Technologies product to gain access to 3CX’s network, where they then modified desktop apps so they could compromise the networks of 3CX’s clients and customers.

Mandiant Blog: hxxps://www.mandiant[.]com/resources/blog/3cx-software-supply-chain-compromise

Author: Cybersecurity and Infrastructure Security Agency

This information has been forwarded by NYSIC to:
NYSIC CAU Contacts – CPWG
NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – DHSES CIRT
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – County Information Contacts
NYSIC CAU Contacts – Critical Infrastructure Partners: Healthcare

For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.

TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/