3CX

A digitally signed and trojanized version of the 3CX Voice Over Internet Protocol (VOIP) desktop client is reportedly being used to target the company’s customers in an ongoing supply chain attack.

3CX is a VoIP IPBX software development company whose 3CX Phone System is used by more than 600,000 companies worldwide and has over 12 million daily users.

The company's customer list includes a long list of high-profile companies and organizations like American Express, Coca-Cola, McDonald's, BMW, Honda, Air France, Toyota, Mercedes-Benz, IKEA, and the UK's National Health Service (who published an alert on Thursday).

According to alerts from security researchers from Sophos and CrowdStrike, the attackers are targeting both Windows and macOS users of the compromised 3CX softphone app.

"The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity," CrowdStrike's threat intel team said.

"The most common post-exploitation activity observed to date is the spawning of an interactive command shell," Sophos added in an advisory issued via its Managed Detection and Response service.

While CrowdStrike suspects a North Korean state-backed hacking group it tracks as Labyrinth Collima is behind this attack, Sophos' researchers say they "cannot verify this attribution with high confidence."

Labyrinth Collima activity is known to overlap with other threat actors tracked as Lazarus Group by Kaspersky, Covellite by Dragos, UNC4034 by Mandiant, Zinc by Microsoft, and Nickel Academy by Secureworks.

"CrowdStrike has an in-depth analytic process when it comes to naming conventions of adversaries," the company told BleepingComputerr via email.

"LABYRINTH CHOLLIMA is a subset of what has been described as Lazarus Group, which includes other DPRK-nexus adversaries, including SILENT CHOLLIMA and STARDUST CHOLLIMA."

SmoothOperator software supply chain attack

SentinelOne and Sophos also revealed in reports published Thursday evening that the trojanized 3CX desktop app is being downloaded in a supply chain attack.

This supply chain attack, dubbed 'SmoothOperator' by SentinelOne, starts when the MSI installer is downloaded from 3CX's website or an update is pushed to an already installed desktop application.

Update process installing the malicous files
Update process installing the malicous files (Sophos)

When the MSI or update is installed, it will extract malicious ffmpeg.dll [VirusTotal] and the d3dcompiler_47.dll [VirusTotal] DLL files, which are used to perform the next stage of the attack.

While Sophos states that the 3CXDesktopApp.exe executable is not malicious, the malicious ffmpeg.dll DLL will be sideloaded and used to extract and decrypt an encrypted payload from d3dcompiler_47.dll.

This decrypted shellcode from d3dcompiler_47.dll will be executed to download icon files hosted on GitHub that contain Base64 encoded strings appended to the end of the images, as shown below.

Base64 strings embedded in ICO files
Base64 strings embedded in ICO files (BleepingComputer)

The GitHub repository where these icons are stored shows that the first icon was uploaded on December 7th, 2022.

SentinelOne says the malware uses these Base64 strings to download a final payload to the compromised devices, a previously unknown information-stealing malware downloaded as a DLL.

This new malware is capable of harvesting system info and stealing data and stored credentials from Chrome, Edge, Brave, and Firefox user profiles.

"At this time, we cannot confirm that the Mac installer is similarly trojanized. Our ongoing investigation includes additional applications like the Chrome extension that could also be used to stage attacks," SentinelOne said.

"The threat actor has registered a sprawling set of infrastructure starting as early as February 2022, but we don’t yet see obvious connections to existing threat clusters."

Web browser user information targeted in SmoothOperator supply chain attack
Data targeted in SmoothOperator supply chain attack (SentinelOne)

Tagged as malicious by security software

CrowdStrike says that the trojanized version of 3CX's desktop client will connect to one of the following attacker-controlled domains:

akamaicontainer[.]com msedgepackageinfo[.]com
akamaitechcloudservices[.]com msstorageazure[.]com
azuredeploystore[.]com msstorageboxes[.]com
azureonlinecloud[.]com officeaddons[.]com
azureonlinestorage[.]com officestoragebox[.]com
dunamistrd[.]com pbxcloudeservices[.]com
glcloudservice[.]com pbxphonenetwork[.]com
qwepoi123098[.]com zacharryblogs[.]com
sbmsa[.]wiki pbxsources[.]com
sourceslabs[.]com journalide[.]org
visualstudiofactory[.]com  
 

Some of the domains mentioned by customers that the desktop client attempted to connect to include azureonlinestorage[.]com, msstorageboxes[.]com, and msstorageazure[.]com.

BleepingComputer tested an allegedly trojanized version of the software but was not able to able to trigger any connections to these domains.

However, multiple customers in 3CX's forums have stated that they have been receiving alerts starting one week ago, on March 22, saying that the VoIP client app was marked as malicious by SentinelOne, CrowdStrike, ESET, Palo Alto Networks, and SonicWall security software.

Customers report that the security alerts are triggered after installing the 3CXDesktopApp 18.12.407 and 18.12.416 Windows versions or the 18.11.1213 and the latest version on Macs. In a later statement, 3CX confirmed that the 18.11.1213, 18.12.402, 18.12.407 & 18.12.416 versions of the Mac client were infected.

One of the trojanized 3CX softphone client samples shared by CrowdStrike was digitally signed over three weeks ago, on March 3, 2023, with a legitimate 3CX Ltd certificate issued by Sectigo and timestamped by DigiCert.

BleepingComputer confirmed this same certificate was used in older versions of 3CX software.

Signed 3CX VoIP client app
Signed 3CX VoIP client app (BleepingComputer)

SentinelOne detects "penetration framework or shellcode" while analyzing the 3CXDesktopApp.exe binary, ESET tags it as a "Win64/Agent.CFM" trojan, Sophos as "Troj/Loader-AF", and CrowdStrike's Falcon OverWatch managed threat hunting service warns users to investigate their systems for malicious activity "urgently."

Even though 3CX's support team members tagged it as a potential SentinelOne false positive in one of the forum threads filled with customer reports on Wednesday, the company is yet to acknowledge the issues publicly.

A 3CX spokesperson didn't reply to a request for comment when BleepingComputer reached out earlier today.

3CX confirms software is compromised

3CX CEO Nick Galea confirmed Thursday morning in a forum post that the 3CX Desktop application was compromised to include malware. As a result, Galea is recommending all customers uninstall the desktop app and switch to the PWA client instead.

"As many of you have noticed the 3CX DesktopApp has a malware in it. It affects the Windows Electron client for customers running update 7. It was reported to us yesterday night and we are working on an update to the DesktopApp which we will release in the coming hours," Galea shared in the 3CX forums.

"The best way to go about this is to uninstall the app (if you are running Windows Defender, its going to do this automatically for you unfortunately) and then install it again."

"We are going to analyze and issue a full report later on today. Right now we are just focusing on the update."

In a blog post about the incident, 3CX CISO Pierre Jourdan states that its desktop apps were compromised due to an upstream library.

"The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT," explains Jourdan in the blog post.

"We’re still researching the matter to be able to provide a more in depth response later today. Here’s some information on what we’ve done so far."

However, 3CX has yet to share what library they are referring to and whether it led to their developer environment becoming compromised.

BleepingComputer has reached out to 3CX with further questions about the incident.

Update 3/29/23 9:31 PM ET: Updated to add further information from Sophos
Update 3/30/23 09:33 AM ET: Added statement from 3CX.

Update 3/30/23 06:04 PM ET: MITRE has also assigned the CVE-2023-29059 identifier to the supply chain attack and linked it to the CWE-506 weakness described as 'Embedded Malicious Code.'
Update 3/31/23 02:05 AM ET: Corrected certificate signing details.

Related Articles:

Plugins on WordPress.org backdoored in supply chain attack

Polyfill.io, BootCDN, Bootcss, Staticfile attack traced to 1 operator

Polyfill claims it has been 'defamed', returns after domain shut down

Cloudflare: We never authorized polyfill.io to use our name

Polyfill.io JavaScript supply chain attack impacts over 100K sites