Supply Chain Attack Compromises 3CXDesktopApp

A recent compromise has caused trojanized versions of the 3CXDesktopApp executable to be distributed on 3CX’s website as well as pushed through updates. The malicious version of the 3CX application is used to sideload malicious .DLL files. These .DLL files will eventually stage an information stealing malware that can harvest system information as well as credentials stored within the user’s browser. The stolen credentials can be used to access a user’s accounts and harvest sensitive data. In this threat advisory, we will discuss the technical details, exposure, and risks associated with this malware, and provide recommendations to limit its impact.

What is the Threat?

The trojanized version of 3CXDesktopApp is installed via the MSI installer hosted on 3CX’s website or when an update is installed from an existing installation. The trojan will then extract a malicious version of ffmpeg.dll and d3dcompiler_47.dll, which will be used to download icon files from GitHub containing a Base64 payload. The Base64 strings are then decoded to download an information stealing malware. This malware gathers system information and browser information including browser history and stored credentials from Chrome, Edge, Firefox, and Brave.

Why is it Noteworthy?

3CX is a business communications platform that is used globally. With the trojan being present in signed binaries hosted on the official 3CX website and being pushed through updates, this malware has the potential to be both widespread and difficult to detect. The malware is suspected to be related to the North Korean threat actor Labyrinth Chollima, however there is no definitive evidence of this yet.

What is the Exposure or Risk?

If the user’s login credentials are stored within the browser, this malware has the potential to gain access to many of the user’s accounts, including personal information and proprietary company information. The accounts can also be used to stage phishing attacks on users not affected by the initial attack.

What are the Recommendations?

To limit the impact of the 3CX malware, we recommend the following actions:

1. Ensure endpoint protection is installed and active on all your endpoints. SentinelOne and CrowdStrike have both been shown to effectively mitigate this malware.

2. If 3CX has been added as an exclusion in your endpoint protection, remove the exclusion. Exclusions can reduce the monitoring level of processes and potentially cause the threat to be missed.

3. Regularly remind users not to store login credentials in their browsers. This can reduce the impact of malware that steals stored browser credentials.

Conclusion

The compromise of 3CXDesktopApp is a significant threat to businesses globally due to the software’s widespread use and the potential for stolen credentials to access sensitive data. As with any malware, it is important to take proactive steps to mitigate the risk of infection. By following the recommendations above, you can help to limit the impact of this malware and protect your organization from potential breaches.

References

For more in-depth information about the recommendations, please visit the following links:

• https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/

• https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/

• https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/

• https://www.3cx.com/company/