ThreatLocker
Allowlisting only permits explicitly approved applications and DLLs to run. By default, ThreatLocker blocked the malicious DLLs that were downloaded because they were not included in the allowlist for 3CX. In addition to Allowlisting, ThreatLocker was able to use
Ringfencing to limit the current 3CX application, so it didn’t have access to more than what it was required to do. The ThreatLocker Ringfencing solution stopped access to read or write files and blocked access to the internet, except for domain(s) located in the 3CX web console. Using Ringfencing, the 3CX application is prevented from reaching out and downloading the ICONICSTEALER malware.