Riskware/Sphone_XC3
Analysis
Riskware/Sphone_XC3 is a generic detection for a compromised Application referenced as 3CX, this is synonymous to Generic PUA or Generic PUP.
Since this is a generic detection, riskware that are detected as Riskware/Sphone_XC3 may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- Files detected as Riskware/Sphone_XC3 have been associated with Sphone_XC3 outbreak.
- Riskware/Sphone_XC3 is a compromised installer files to potentially weaken a user's security. The installers came with malicious DLLs and clean copies of the application. It will attempt to sideload the malicious DLLs eg: "d3[removed]_7.dll" and "ff[removed]g.dll" on to the user's computer.
- The affected application may perform malicious actions such as an InfoStealer.
- This affected application is distributed thru various OS, Mac, Windows, Linux.
- This malware has been associated with the following third party article/advisory.
https://www.3cx.com/blog/news/desktopapp-security-alert/
- Following are some of the near/exact IOCs/file hash associated with this detection:
- Md5: 0eeb1c0133eb4d571178b2d9d14ce3e9
Sha256: 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983 - Md5: f3d4144860ca10ba60f7ef4d176cc736
Sha256: aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868 - Md5: bb915073385dd16a846dfa318afa3c19
Sha256: dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc - Md5: 9833a4779b69b38e3e51f04e395674c6
Sha256: fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405
- Md5: 0eeb1c0133eb4d571178b2d9d14ce3e9
Outbreak Alert
Security researchers observed that the threat actors abused a popular business communication software by 3CX. The reports mention that a version of the 3CX VoIP (Voice over Internet Protocol) desktop client was trojanized and is being used to attack multiple organizations.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |