Malware Analysis Possible Supply Chain on Ooma

Sandbox Breaker

Sandbox Breaker

Level 11
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
520
One of my clients had an edr alerts from Ooma Office. After investigation we believe it's a part of an early Supply Chain attack. The process was Dormant until after 5pm business hours when it started spawning lolbins and doing discovery actions.

Vt says 2 engines. Their main installer is signed but the omma office.exe process isn't. Certificate chain issue with the file also. Very low file prevelance and defender flags it with two detections. I'm thinking there may be some hidden shell code in it. This reminds me of the 3cx VoIP hack. ea649ee7430b61db82c8f23470f27f956baf88a245f159af96ea49159c2656e6 | Triage
1000020387.png
1000020391.png
1000020390.png
 
  • Like
Reactions: Nevi, simmerskool, vtqhtr413 and 1 other person
Xeno1234

Xeno1234

Level 14
Jun 12, 2023
684
I put this into a few sandboxes to see if there any any detections. All come out fully clean and dont appear to show the file doing anything at all. Sophos Intelix says the code execution cannot continue for "omma office.exe" as its missing ffmpeg.dll. Not saying its not malicious, just is possibly broken on some systems, sandbox evasive, or extremely evasive in general.

In Kaspersky Opentip, "omma office.exe", it shows strings that look like this. Seems encrypted or something of that matter to me.
1701485670862.png

1701485384188.png
 
Last edited:
Sandbox Breaker

Sandbox Breaker

Level 11
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
520
Xeno1234 said:
I put this into a few sandboxes to see if there any any detections. All come out fully clean and dont appear to show the file doing anything at all. Sophos Intelix says the code execution cannot continue for "omma office.exe" as its missing ffmpeg.dll. Not saying its not malicious, just is possibly broken on some systems, sandbox evasive, or extremely evasive in general.

In Kaspersky Opentip, "omma office.exe", it shows strings that look like this. Seems encrypted or something of that matter to me.
View attachment 279968
View attachment 279967
Click to expand...
Yeah I'll be speaking to the devs. To many suspicious indicators. There is circumstacial and technical evidence that this isn't normal.
 
  • Like
Reactions: Nevi and simmerskool
Xeno1234

Xeno1234

Level 14
Jun 12, 2023
684
Sandbox Breaker said:
Yeah I'll be speaking to the devs. To many suspicious indicators. There is circumstacial and technical evidence that this isn't normal.
Click to expand...
Yep. Those string’s definitely aren’t normal for a legitimate file. Defender also flagging it probably doesn’t help its case either. Kaspersky said this file has around 100 users and it’s trust level is unknown.
 

Similar threads

Gandalf_The_Grey
    • +Reputation
    • Like
Hackers compromise 3CX desktop app in a supply chain attack
Replies
1
Views
2,023
News Archive
vtqhtr413
vtqhtr413
Sandbox Breaker
    • Like
    • Applause
AWS SSM Agent can be used as a RAT
Replies
0
Views
1,426
News Archive
Sandbox Breaker
Sandbox Breaker
Trident
    • Like
    • +Reputation
    • Hundred Points
Serious Discussion Harmony Endpoint by Check Point
Replies
685
Views
58,994
Other security for Windows, Mac, Linux
simmerskool
simmerskool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top