3CX DesktopApp compromised by supply chain attack

3CX is working on a software update for its 3CX DesktopApp, after multiple security researchers alerted the company of an active supply chain attack in it. The update will be released in the next few hours; meanwhile the company urges customers to use its PWA (progressive web application) client instead. 

“As many of you have noticed the 3CX DesktopApp has a malware in it. It affects the Windows Electron client for customers running update 7,” Nick Galea, CEO at 3CX said in a security alert on Thursday. As an immediate response, the company advised users to uninstall and reinstall the app. 

3CX is a Voice Over Internet Protocol (VoIP) IPBX software development company. The 3CX DesktopApp allows users to make calls, chat, video conference, and check voicemail using their desktop. The company has over 600,000 customers and 12 million users in 190 countries. BMW, Honda, Ikea, Pepsi, and Toyota are some of its customers. 

Security researchers at Sophos, Crowdstrike, and SentinelOne alerted the company on Wednesday about the ongoing attack. 

Supply chain attacked

Researchers observed malicious activity originating from a trojanized version of the 3CX DesktopApp. “The software is a digitally signed version of the softphone desktop client for Windows and is packaged with a malicious payload,” Sophos said in its blog post. 

The application has been abused by the threat actor to add an installer that communicates with various command-and-control servers, Sophos said. 

The threat actor registered a massive attack infrastructure in February 2022, according to SentinelOne which is tracking the attack under the name SmoothOperator, adding, “but we don’t yet see obvious connections to existing threat clusters.” 

Researchers said it is a chain attack that in its first stage takes advantage of the DLL side-loading technique to load a malicious DLL that’s designed to retrieve an icon file payload. 

“The trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from GitHub and ultimately leads to a 3rd stage infostealer DLL still being analyzed as of the time of writing,” SentinelOne said. 

Similarly, Crowdstrike, found that the malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity. 

Sophos notes that the DLL side loading is designed in such a way that the users will not realize any difference while using the application. 

The information stealer can gather system information and sensitive data stored in Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox browsers. 

“PBX software makes an attractive supply chain target for actors; in addition to monitoring an organization’s communications, actors can modify call routing or broker connections into voice services from the outside,” SentinelOne said. 

Windows version infected

While versions of the application run on Windows, Linux, Android, and MacOS, the company and security researchers SentinelOne and Sophos agree that only the Windows version has been infected. Crowdstrike, on the other hand, claims that the MacOS version has also been infected. 

CrowdStrike also attributes the attack to nation-state threat actor Labyrinth Chollima. Labyrinth Chollima is a prolific North-Korean threat actor known to be a subset of Lazarus group.