Enterprise communications software maker 3CX confirmed Thursday that multiple versions of its desktop apps for Windows and macOS were affected by a supply chain attack.
Version numbers include 18.12.407 and 18.12.416 Windows and 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 for macOS.
The company said it was using the Google-owned Mandiant service to investigate the incident. In the meantime, customers using self-hosted and on-premise versions of the software are encouraged to update to version 18.12.422.
“3CX Hosted and StartUP users don’t need to update their servers as they update automatically overnight,” 3CX CEO Nick Galea said in a post Thursday. “The server will be rebooted and the new his Electron app MSI/DMG will be installed on the server.”
The evidence available so far indicates either compromise of 3CX’s software build pipeline that distributes Windows and macOS versions of the app package, or poisoning of upstream dependencies. The scale of the attack is currently unknown.
According to a 3CX forum post, the first period of potentially malicious activity was said to have been detected around March 22, 2023, but preparations for the campaign were said to begin by February 2022. I’m here.
According to 3CX, the first alert last week of a possible security issue in the app was treated as a “false positive” because none of VirusTotal’s antivirus engines classified it as suspicious or malware.
The Windows version of the attack leveraged a technique known as DLL sideloading to deploy a malicious program called ‘ffmpeg.dll’ designed to read encrypted shellcode from another DLL called ‘d3dcompiler_47.dll’. loaded the library.
This involved visiting a GitHub repository and retrieving an ICO file containing a URL to host the final stage payload. It is an information stealer (known as ICONIC Stealer or SUDDENICON) that can collect system information and sensitive data stored in web browsers.
Karlo Zanki, security researcher at ReversingLabs, said:
“The target in question, 3CXDesktopApp, is built on the Electron open source framework. Both of the libraries in question are typically shipped with the Electron runtime, so they are rarely suspected in customer environments. .”
 |
| Download new executable SUDDENICON |
Similarly, the macOS attack chain bypassed Apple’s notarization checks and downloaded an unknown payload from a command and control (C2) server that is currently not responding.
“The macOS version does not use GitHub to retrieve its C2 server,” Volexity said, tracking activity under cluster UTA0040. “Instead, a list of C2 servers is stored in a file encoded with his XOR key 0x7A of 1 byte.”
Become an Incident Response Pro!
Unlocking the Secrets of Bulletproof Incident Response – Master the 6-step process with Asaf Perlman, IR Lead at Cynet!
Don’t miss it – secure your seat!
Cybersecurity firm CrowdStrike, in its own advisory, confidently attributed the attack to Labyrinth Chollima, aka Nickel Academy, a state-sponsored actor aligned with North Korea.
“This campaign, which targets many organizations across a wide range of industries with no apparent pattern, is based on observed network infrastructure uniquely associated with the adversary, similar installation techniques, and reused RC4 keys. and attributed to Labyrinth Chollima,” said Adam Meyers. CrowdStrike’s senior vice president of intelligence told The Hacker News:
“The trojanized 3CX application invokes a variant of ArcfeedLoader, malware specific to Labyrinth Chollima.”
Labyrinth Cholima is a subset of the Lazarus Group, which comprises Silent Cholima (aka Andariel or Nickel Hyatt) and Stardust Cholima (aka Brunolov or Nickel Gladstone), according to the Texas-based company.
The group “has been active since at least 2009 and typically targets cryptocurrencies and financial institutions to generate revenue,” Myers said, adding that “North Korea’s Reconnaissance General Bureau (RGB) 121st Division It is likely that it belongs to the , and is primarily engaged in espionage and revenue-generating schemes.”
