Written by Anton Jörgensson, Eric Dodge & Yann Lehmann of the Kudelski Security Threat Detection & Research Team
Updated on April 5th. We may update later on, don’t hesitate to come back.
3CX is a VoIP IPBX software development company. Their 3CX Phone System is used by more than 600,000 companies worldwide and counts more than 10 millions daily users.
3CX suffered a supply chain attack which made their 3CXDesktopApp being trojanized. This trojanized 3CXDesktopApp is the first stage of a multi-stage attack that ends in a late-stage information stealer being installed on the host. The compromised version of the app is signed by certificate used in previous version of the app.
Major EDR solution vendors are now preventing the trojanized application from running and at the time of writing no new legitimate version of the application have been provided by 3CX.
The attack is suspected by CrowdStrike’s intelligence to originate from the threat actor dubbed LABYRINTH CHOLLIMA.
The provider confirmed that the affected versions are :
- Electron Windows app shipped in Update 7, version numbers
- Electron Mac App version numbers
An analysis of the attack and indicators of compromise have already been published by CrowdStrike, SentinelOne and Sophos. According to CrowdStrike, the malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity.
The attack is a DLL sideloading scenario which intends to allow normal use of the 3CX desktop package without tipping victims off to suspicious activity. So far, MDR providers have identified three key components:
- 3CXDesktopApp.exe, the trojanized loader
- d3dcompiler_47.dll, a DLL with an encrypted payload attached
- ffmpeg.dll, the malicious trojan loader.
The 3CXDesktopApp is utilized as a shellcode loader with the code being run from within the heap space. That in turn leads to a DLL being loaded reflectively and called via the DLLGetClassObject export, and begins the next stage, where icon files are retrieved from Github.
The ffmpeg.dll file contains an URL from which it retrieves a malicious .ico file with an embedded Base64 payload– another download for the final stage of deployment, the infostealer. The infostealer primarily targets system and browser information from common browsers, especially the Places and History tables. Most of the domains contacted by the compromised library to download the second-stage payload (infostealer) have been taken down.
In common DLL side-loading scenarios, the malicious loader (ffmpeg.dll) would replace the clean dependency; its only function would be to queue the payload. However, in this case, this loader is fully functional, as it would normally be in the 3CX product. Instead, there is an additional payload inserted into the DllMain function.
First assess whether the compromised application is found within your environment. If that is not the case, you are not at risk for the matter of this supply chain attack.
In case you have the compromised application within your environment, please note that due to the nature of the attack, it does not mean that you are targeted. We have seen the application just being updated to the compromised version in a normal process without further action done by the threat actor behind the attack.
We recommend uninstalling the application from the hosts until a new version of the app is available. If this is not possible, to mitigate the risk we recommend containing the host in case your EDR / AV solution does not already prevents the application.
We recommend also checking for any network connections to the URL hxxps://github[.]com/IconStorages/images which was used to deliver the information stealer or even connections to raw[.]githubusercontent[.]com linked to the trojanized app.
Moreover, the references contain multiple IOCs that you can use to hunt for threats in your environment.
Finally, we recommend rotating secrets to reduce the risk of use of the captured secrets in case the infostealer was able to steal some secrets.
- The recommendation from 3CX is to still use the PWA application, but an updated version of the Electron client is now available
- Contain affected assets in case your EDR/AV solution does not already prevent your compromised application and the application cannot be uninstalled.
What the Cyber Fusion Center (CFC) is doing
- The CFC is currently threat hunting on every client environment to assess impact of the compromised 3CX application. If you are a CFC partner you can see the details in your partner portal under the name
"[HIGH] Active Intrusion Campaign Targeting 3CX Customers"
- Our Incident Response team and the CFC are in direct contact with you in case a compromised application has been observed in your environment
- Our Detection Engineering team is currently pushing detection rules for your environment where applicable