May 24, 2023

Cybersecurity Threats Affecting Businesses in May 2023

Cybersecurity Threats Affecting Businesses in May 2023 Cybersecurity & Digital Forensics

Cybersecurity threats are increasing rapidly. As a result, company leaders need to be more aware of potential deficiencies in their overall cybersecurity strategy. Threat hunt queries, offered as part of Marcum Technology’s SOC services, are key to identifying potential threats in an organization’s environment.

Below are the top four threats that emerged over the past month.

AlienFox Toolset

SentinelLabs reported a developing malware family called AlienFox, an open-source modular toolkit used to compromise email and web hosting services. It is regularly redistributed, with multiple developers taking credit for different versions and tools contained within. There have been at least three distinct versions so far — the first was observed in February 2022 — indicating ongoing improvement. The kit is primarily distributed via a private Telegram channel, but some modules are readily accessible on GitHub.

AlienFox identifies misconfigured hosts from security scanning platforms such as LeakIX and SecurityTrails. It then targets popular web frameworks such as Laravel, Magento, Opencart, and WordPress, where it searches for exposed configuration files that store sensitive information, such as API keys, credentials, and authentication tokens. Finally, it uses scripts to extract and parse the data. Recent versions contained automation scripts to use the compromised information for malicious activities.

Administrators should verify proper server configurations, including access controls and file permissions, and remove unnecessary services. Implementing multi-factor authentication (MFA) and monitoring tools is also recommended.

3CX Desktop App Compromised (CVE-2023-29059)

On March 29, several reports stated that digitally signed versions of the 3CX voice-over-internet protocol (VOIP) desktop client were trojanized due to a code-level compromise. Mandiant assessed with high confidence that UNC4736 has a North Korean nexus, according to Pierre Jourdan, CISO of 3CX. The issue has been assigned CVE-2023-29059 and a CVSS V3.x score of 7.8, which is a “high” rating.

3CX developed and marketed a software-based private branch exchange (PBX) phone system that is used by more than 600,000 companies worldwide, including American Express, Coca-Cola, McDonald’s, BMW, Honda, Air France, Toyota, Mercedes-Benz, IKEA, and the UK’s National Health Service. Initial reports suggested that all platforms of the 3CX desktop app were compromised. However, the issue appears to trace back to one of the bundled libraries compiled into the Electron App via GIT, so only specific versions of the MacOS and Windows 3CX desktop apps were affected.

3CX has stated that it is working on a new version of the Windows app and has revoked the certificate for the previous version. The domains contacted by this compromised library have already been reported, and the majority were taken down overnight. A GitHub repository that listed them has also been shut down, effectively rendering it harmless. The Windows version was infected with TAXHAUL (aka “TxRLoader”), and the MacOS had SIMPLESEA, a backdoor written in C that communicates via HTTP.

This is another attack in a growing list that aims to affect the supply chain. To infiltrate your digital organization, these attacks usually involve an outside provider or partner (3CX in this case) that has some sort of influence on your data and systems. By poisoning the 3CX’s desktop app updates, attackers compromise any business or individual that uses the software and updates to the infected version.

As of right now, 3CX is advising customers to uninstall the 3CX Electron desktop application from all Windows or Mac OS computers and to keep AV scans and EDR solutions up to date to detect the latest malware signatures. They also recommend customers switch to using the PWA web client app.

Magecart Credit Card Skimmer

It’s not uncommon for criminals to create copies of genuine products; however, it is exceedingly rare for the copy to be considered better than the original. A recent Magecart credit card skimmer campaign leveraged the Kritec skimmer and used original logos and even modal web elements from the compromised store to hijack the checkout page. The skimmer ironically looks more authentic to an average or even advanced user than the original. This is an example of an excellent social engineering attack so elegant that it would be extremely difficult to spot.

A modal is an element of a web page displayed in front of the currently active page. It disables and grays out the background so the user focuses on the elegant, aesthetically pleasing modal. However, the modal is entirely fake in this case and simply steals credit card data. The real form, visible after blocking the skimmer, loads a new page in a new window entirely. It is clunkier and uglier than the fraudulent version.

The malicious modal is built cleanly and contains an animation displaying the store’s logo in the middle. There is one small mistake in the TOS hyperlink, however: it redirects to the TOU for a South American payment processor.

The payment flow is as follows: upon selecting “credit card,” the modal loads. Once a user enters their details, a fake error is displayed very briefly, saying that payment was canceled before the user is redirected to the real payment URL. On that second attempt, the payment goes through, and the user is unaware that their card information was just stolen. A cookie is dropped that prevents the modal from appearing again as it has served its purpose.

Unfortunately, even commonly used websites can be compromised, and attackers are becoming talented enough to create extremely convincing false pages and skimmers that are undetectable by all but the most paranoid users and analysts. As always, users must exercise great caution even in familiar places on the internet.


ViperSoftX, typically focused on cryptocurrency theft/mining, appears to have shifted gears recently. In the latest update, it has been observed using real software to hide and pose as legitimate versions of popular tools on the market, making it a seamless chain for malware execution.

ViperSoftX typically arrives as a software crack, an activator/patcher, or a key generator. The malware arrives as a package of the carrier executable and the decryptor/loader DLL. This includes a more sophisticated encryption method of byte remapping and a change in the command-and-control server.

The byte remapping ensures the shellcode cannot be easily decrypted without the correct byte map, weaving a cross-stitch template to the palette of 256 bytes. ViperSoftX also uses WMI query language, DLL sideloading and load order hijacking, PowerShell reflective loading, browser hijacking, and C&C protection to steal crypto and passwords. It then uses a domain-generating algorithm to hide its C&C server and generate useless traffic. Considering the main goal of acquiring control, the stealer has interesting capabilities that grant the threat actor the ability to steal passwords and scan wallets for cryptocurrencies.

Distributing pirated software and cracks continues to be a viable way to spread malware. While threat actors target neither specific software nor applications, they commonly use multimedia editors or video format converters; cryptocurrency miner apps; phone-related desktop apps; and system cleaner apps.

If you’re facing challenges related to cybersecurity threats, breaches, and bad actors, or are interested in learning more about identifying potential threats to your organization, contact Marcum Technology today.