3CX appears to be an active supply chain attack in which multiple cybersecurity vendors are targeting downstream customers with digitally signed and manipulated installers of popular audio and video conferencing software. After raising alarm bells about stuff, it said it was working on a software update for the desktop app.
Researchers at SentinelOne said, “The trojanized 3CX desktop app pulls an ICO file with Base64 data appended from GitHub and is the first in a multi-stage attack chain that ultimately leads to the third stage infostealer DLL. It’s a stage,” he said.
Cybersecurity firm tracks activity under its name Smooth Operatorsaid the threat actor registered a large-scale attack infrastructure dating back to February 2022.
3CX, the company behind 3CXDesktopApp, claims to have over 600,000 customers and 12 million users in 190 countries, including American Express, BMW, Honda, Ikea, Pepsi and Toyota. It includes famous names such as
The 3CX PBX client is available on multiple platforms, but Sophos cited telemetry data to point out that the attacks observed so far have been limited to the PBX Phone System’s Windows Electron client.
Briefly, the infection chain utilizes a DLL sideloading technique to load a malicious DLL (ffmpeg.dll) designed to retrieve an icon file (ICO) payload.Since then, the GitHub repository hosting the files is unloaded.
Information stealers can collect system information and sensitive data stored in Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox browsers.
Cybersecurity firm CrowdStrike said it suspected the attack was linked to a North Korean state actor it tracks as Labyrinth Chollima, aka Nickel Academy, a sub-cluster within the notorious Lazarus Group.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
CrowdStrike added, “Malicious activity includes beaconing to attacker-controlled infrastructure, deploying second-stage payloads, and, in a few cases, keyboard-driven activity.”
In a forum post, 3CX CEO Nick Galea said they are in the process of issuing a new build in the next few hours, and said Android and iOS versions will not be affected. “Unfortunately, this was caused by an upstream library that we use that was infected,” said Galea, without elaborating.
In the meantime, the company is urging customers to uninstall and reinstall the app, or use the PWA client instead.
