Download Ffmpeg.dll Teams
Dibe Naro
It's now a single-instance msteams.exe process. This may look as a departure from the multi-process architecture of Electron, but of course, WV2 still runs a bunch of its own msedgewebview2.exe processes. No surprise here, as it's still a customized version of Chromium under the hood.
Is this pool of WV2 Chromium processes shared across other WV2 instances? I don't think so, but let's ask the WV2 team directly.
It's hard to tell if they just use pure WebRTC API inside WebView2, or do some custom video processing on the client, but I haven't spotted any FFmpeg-like DLLs or anything that might look like custom codecs (the Electron-based version of Teams does bundle ffmpeg.dll, although it might just be a part of Electron runtime).
Errors related to ffmpeg.dll can arise for a few different different reasons. For instance, a faulty application, ffmpeg.dll has been deleted or misplaced, corrupted by malicious software present on your PC or a damaged Windows registry.
In the vast majority of cases, the solution is to properly reinstall ffmpeg.dll on your PC, to the Windows system folder. Alternatively, some programs, notably PC games, require that the DLL file is placed in the game/application installation folder.
After reinstalling Office the Microsoft Teams desktop client was missing. When I tried to download and install it I got stuck on the error that ffmpeg.dll was missing. With some research I found an easy way to fix this issue.
23:00 UTC 01-April-23, adding Troj/Steal-DLG to Detection Protections/Static detection, two more queries customers may use to determine their exposure to the attack, new analysis of an emergent line of inquiry concerning a timestamp mechanism in the malicious code, and information on analysis of other Electron-built apps using ffmpeg.dll
23:30 UTC 30-March-23, adding detail on affected versions, misuse of ffmpeg.dll, removal of malicious repository, comparison of PE shellcode loader to that used by Lazarus threat group, more queries customers may use to determine their exposure to the attack, and various additional detections]
We have also blocked the list of known C2 domains associated with the threat and will continue to add to that list in the IOC file on our GitHub, as noted above. Finally, the two malicious versions of the ffmpeg.dll bundled in the affected 3CX application are flagged by their hashes as being of low reputation.
The infection chain begins with 3CXDesktopApp.exe loading ffmpeg.dll (detected as Trojan.Win64.DEEFFACE.A andTrojan.Win64.DEEFFACE.SMA). Next, ffmpeg.dll reads and decrypts the encrypted code from d3dcompiler_47.dll (detected as Trojan.Win64.DEEFFACE.A and Trojan.Wind64.DEEFACE.SMD3D).
Upon execution of 3CXDesktopApp.exe, ffmpeg.dll, which seems to be a trojanized or patched DLL, will be loaded. It will still contain its normal functionalities, but it will have an added malicious function that reads d3dcompiler_47.dll to locate an encrypted shellcode after the fae ed fa coe hex strings.
Organisations that are potentially affected should stop using the vulnerable version if possible and apply the patches or mitigation workarounds if these are available. IT and security teams should also scan for confirmed compromised binaries and builds and monitor for anomalous behaviour in 3CX processes, with a particular focus on C&C traffic.
The installer for Windows would extract the legitimate 3CXDesktopApp.exe (fully functional), but also the malicious libraries ffmpeg.dll and d3dcompiler_47.dll. When the application is executed, it uses a technique called DLL sideloading (read our DLL sideloading explainer) to load the malicious ffmpeg.dll library in memory.
ffmpeg.dll library decrypts the payload from the d3dcompiler_47.dll library and executes it as a shellcode. Malware is suspended for 1-4 weeks as a detection evasion technique, after this period it will try to download a .ico file from the domain githubusercontent[.]com (no longer available) and extract from it an address of a command & control (C2) server. This domain hosted multiple icon files, each associated with a different C2 domain.
Actively monitor the infrastructure for potential exploitation attempts and respond accordingly. We strongly recommend implementing detection and response capabilities to detect any suspicious activity on the network and minimize the dwell time of adversaries. Bitdefender GravityZone XDR sensors detect suspicious activity and alert security teams to lateral movement attempts or the establishment of an external connection by the threat actor. This technology can be augmented by good security operations, either in-house or through a managed service like Bitdefender MDR.
The Detection Engineering and ATI teams continue to analyze the campaign and malware; however, our current hypothesis is the campaign was in the early, information gathering stage when identified, with the threat group setting up for future malicious activity including extortion and leveraging collected credentials from browsers.
Our teams are continuing to analyze and reverse engineer both the attack chain as well as the malicious shellcode, and currently, the extent of the attack includes three stages of loading to deploy an infostealer.
For the last 60-90 days I receive an error when my windows 10 computer boots or when I login. RingCertral.exe - System Error "The code execution cannot proceed because ffmpeg.dll was not found. Reinstalling the program may fix this problem." I have uninstalled and reinstalled the latest RingCenral app several times. I've researched the ffmpeg.dll file and found that it can error with MicroSoft's Teams program, which I use. But, I don't have any errors associated with Teams, Just RingCentral. Any ideas?
The infection process begins with 3CXDesktopApp launching and running its update executable. Update.exe is then responsible for pulling the first malicious payload, ffmpeg.dll. Then, the ffmpeg.dll library will then acquire the d3dcompiler_47.dll (Figure 1).
The ffmpeg.dll is a normal component of the 3CXDesktopApp containing functions related to audio visual processing. It is a library that is used by several different software pieces such as Skype, Teams, WhatsApp, and Discord. A great tool for comparing different instances of what appears to be the same file is PE Tree developed by Tom Bonner and released by Blackberry . The immediate comparison between the benign instance of ffmpeg.dll (Figure 2) and the uncovered malicious sample (Figure 3) does not show anything immediately alarming.
When looking through the number of sections, the malicious instance of the file only had 10 sections versus the 11 that the benign contained. In addition, the malicious instance contained no checksum information and only the benign instance of ffmpeg.dll was signed by 3CX. Normally, the DllMain function of ffmepg.dll would match the image in Figure 5.
Analysis of this function shows reference to the d3dcompiler_47.dll (Figure 7), which is located alongside ffmpeg.dll. While signed with an out-of-date certificate (Figure 8), ffmpeg.dll contains the secondary payload.
The 3CXDesktopApp installer MSI appears to contain malicious code which waits seven days post-installation before downloading additional files from GitHub and communicating with malicious command-and-control domains. The client application writes ffmpeg.dll and d3dcompiler\_47.dll to disk, the latter of which contains a payload we refer to as SUDDENICON. Both libraries in our sampling appear to have been backdoored. It should be noted that ffmpeg.dll and d3dcompiler\_47.dll are both legitimate file names and rules should not be created on them alone.
The ffmpeg.dll binary extracts SUDDENICON from d3dcompiler\_47.dll by seeking the FEEDFACE byte sequence and decrypting using a static RC4 key (3jB(2bsG#@c7). The resulting payload is then loaded in memory as the second-stage payload. A shellcode stub prepended to the payload used to map it into memory shares similarities with APPLEJEUS loader stubs, which have been associated with DPRK. Upon successfully executing, this shellcode stub writes a new file ( manifest ) to disk with a timestamp 7 days in the future, used to implement a timer after which the malware connects to the C2 infrastructure.
The 3CX download available on the official public website had included malware. Installations already deployed will update, and ultimately pull down this malware that includes a backdoored DLL file, ffmpeg.dll and an anomalous d3dcompiler_47.dll.
This backdoored ffmpeg.dll primarily acts as loader for the d3dcompiler_47.dll file.
Right from the DLL entrypoint, it eventually enters a new function (that we have renamed mw_main_function for our reverse engineering purposes) --
After retrieving d3dcompiler_47.dll, the ffmpeg.dll binary locates and unravels this secondary payload by decrypting an RC4 stream with the key 3jB(2bsG#@c7. According to other threat intelligence, this static key is known to be attributed to DPRK threat actors.
08ab062aa8