Millions at risk with this recent trojan.

Mar 30 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that dreams of net zero phishing attacks by 2050. No, 2030! #MissionZero #MissionImpossible

Today’s hottest cyber security stories:

  • 3CX desktop app hack by ‘SmoothOperator’; millions at risk
  • Scammers target their own by ‘troganizing’ popular dark web browser Tor
  • MacStealer Maas distributed en masse to mac users


In case you’re unaware, 3CX is a popular video conferencing app that boasts a customer base of more than 600,000 in 190 countries. It’s what’s known as a VoIP (Voice over internet protocol) application (or protocol!) similar to Skype or Zoom.

Despite its success and widespread use, developers at 3DS will be furiously coding away this afternoon thanks to the news of a potentially devastating supply chain hack that several cybersecurity firms blew the whistle on.

3CX is currently working on a software update for their 3CXDesktopApp to tackle the issue wherein digitally signed and rigged installers of the popular software victimise unsuspecting customers.

Put simply (as possible, at least), the nasty bit of malware (dubbed SmoothOperator) takes advantage of the DLL side-loading technique to load a rogue DLL (ffmpeg.dll) that’s designed to retrieve an icon file (ICO) payload.

The trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls ICO files appended with Base64 data from GitHub and ultimately leads to a third-stage infostealer DLL,” SentinelOne researchers said.

Ah, the dreaded infostealer! This one is reportedly capable of swiping all manner of sensitive data from Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox browsers.

What’s more, CrowdStrike added: “The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity,”

There’s something especially creepy about the idea of observing your mouse or keyboard suddenly begin to operate smoothly. Sorry, independently.

FYI: A supply chain attack is a type of cyber attack that targets organisations by focusing on weaker links in an organisation’s supply chain. 

The supply chain, of course, is the network of all the individuals, organisations, resources, activities and technology involved in the creation and sale of a product.

Finally, guess who’s behind this one. Nope, not the Russians, for once. Go on, have another go. You got it! It’s the North Koreans again.

Specifically, our friends at Crowdstrike suspect a North Korean nation-state actor it tracks as Labyrinth Chollima (aka Nickel Academy), a sub-cluster within the notorious Lazarus Group.

Lazarus returns from the dead once more! And just before Easter, to boot. Biblical stuff.

You can read about the previous Lazarus story here


This story gives new meaning to the phrase ‘thick as thieves’. These thieves are thick, alright. But not thick as in cooperating in a friendly manner. Nope, just plain dense.

In fact, it’s the direct opposite of cooperation. These guys are actively targeting their criminal brethren. How sickening!

How so, you ask? Well, most of you will have heard of the dark web and know that, although anyone can use it (libertarians, FTW), it’s certainly heavily (if not, mostly!) populated by cybercriminals. Or just plain criminals, for that matter. You can buy anything from guns to drugs to actual cyber scams (more of that in the next story).

To access this treasure trove of contraband, you can’t just type ‘dark web’ into Google and click on the first link. Trust us, we’ve tried! Just kidding.

Instead, you have to download a special browser. There are many to choose from but by far the most popular of these special browsers is called Tor. And it’s this Tor that’s been spoofed. The cheek of it!

What’s worse, they’re stealing the scammers’ hard-earned cryptocurrencies. Jesus wept. Not!

Specifically, Trojanized installers for the TOR anonymity browser are being used to target users in Russia and Eastern Europe with clipper malware designed to syphon cryptocurrencies. And it’s been going on since September of last year!

It’s not immediately clear how the installers are distributed, but evidence points to the use of torrent downloads or some unknown third-party source.

We apologise to innocent parties affected by this but it’s hard not to laugh at the hacker community cannibalising its own. #SorryNotSorry

MaaSsive ATTACK!

Before we get started, what the heck is a MaaS? Well, it stands for Malware-as-a-Service and refers to the unlawful lease of software and hardware from the dark web to carry out cyber attacks.

Earlier this month, the MacStealer malware was first discovered on online hacking forums. Indeed, the author of the malware advertised pre-built DMG payloads as a MaaS without panels or builders.

The post promoting the malware claims to include features for capturing data from Apple’s Safari browser and the Notes app. So much for ‘macs don’t get viruses’, eh?

The malware is designed to collect various types of data, including Microsoft Office files, images, archives, browser cookies, login information, and Python scripts.

It is capable of infecting systems running Catalina (10.15) up to the latest version of Ventura (13.2).

Furthermore, the post asserts that the malware can compromise various cryptocurrency wallets, such as:

  • Coinomi
  • Exodus
  • MetaMask
  • Phantom
  • Tron
  • Martian Wallet
  • Trust wallet (ironically)
  • Keplr
  • Binance

To our law-abiding dark web dwellers and crypto traders, stay safe and don’t be phisherman’s friends. Geddit?

To those on the other side of the law, in the words of Joaquin Phoenix’s Joker:


Peace out, peeps!

So long and thanks for reading all the phish!

Recent articles