Analysts at CrowdStrike and SentinelOne have discovered unexpected malicious activity in a signed version of the 3CX VoIP desktop app. Apparently, there was an attack on the supply chain, and now the 3CX application is being used to attack millions of the company’s customers.
3CX is a developer of VoIP solutions whose 3CX Phone System is used by more than 600,000 companies worldwide, with more than 12,000,000 daily users. The company’s client list includes such giants as American Express, Coca-Cola, McDonald’s, BMW, Honda, AirFrance, NHS, Toyota, Mercedes-Benz, IKEA and HollidayInn.
According to information security experts, attackers attack users of a compromised softphone both on Windows and macOS.
“Malicious activity includes the implantation of a “beacon” that communicates with the infrastructure of the attackers, the deployment of a second stage payload, and, in a small number of cases, “manual” activity [of hackers],” CrowdStrike says.
Sophos specialists add that after exploitation, attackers mainly create interactive command shells in the victim’s systems.
While CrowdStrike analysts suspect the North Korean hack group Labyrinth Collima is behind the attack, Sophos researchers say they “can’t establish an attribution with a reasonable degree of certainty.”
The activity of Labyrinth Collima usually overlaps with other groups that are tracked under the names Lazarus Group by Kaspersky Lab, Covellite by Dragos experts, UNC4034 by Mandiant experts, Zinc by Microsoft and Nickel Academy classification by Secureworks analysts.
SentinelOne called the attack on the supply chain called SmoothOperator. The company writes that the attack starts when the MSI installer is downloaded from the 3CX website, or when an update is downloaded for an already installed desktop application.
When installing an MSI or an update, the malicious DLL files ffmpeg.dll and d3dcompiler_47.dll are extracted, which I use tsya for the next stage of the attack. Although Sophos says that the executable 3CXDesktopApp.exe itself is not malicious, the malicious DLL ffmpeg.dll will be loaded and used to extract the encrypted payload from d3dcompiler_47.dll and execute it.
After that, the malware will download icon files hosted on GitHub, which contain base64 encoded strings added to the end of the image files, as shown in the example below.
The GitHub repository that holds these icons shows that the first file was uploaded on December 7, 2022.
The mentioned base64 strings are used to deliver the final payload to the compromised devices. The final payload is a previously unknown information stealing malware loaded as a DLL. This malware is capable of collecting system information, as well as stealing saved logins and passwords from profiles in Chrome, Edge, Brave and Firefox browsers.
“We are currently unable to confirm that the Mac installer is trojanized. Our current investigation includes additional applications, including a Chrome extension, that can also be used for attacks, the experts write. “The attackers have built up a vast infrastructure since February 2022, but we don’t yet see obvious links to known threat clusters.”
CrowdStrike reports that a malicious version of the 3CX client will connect to one of the following attacker-controlled domains:
akamaicontainer[.]com msedgepackageinfo[.]com akamaitechcloudservices[.]com msstorageazure[.]com azuredeploystore[.]com msstorageboxes[.]com azureonlinecloud[.]com officeaddons[.]com azureonlinestorage[.]com officestoragebox[.]com dunamistrd[.]com pbxcloudeservices[.]com glcloudservice[.]com pbxphonenetwork[.]com qwepoi123098[.]com zacharryblogs[.]com sbmsa[.]wiki pbxsources[.]com sourceslabs[.]com journalide[.]org visualstudiofactory[.]com
A number of customers on the 3CX forums have stated that another week As of March 22, 2023, they received alerts that their 3CX client application was flagged as malware by SentinelOne, CrowdStrike, ESET, Palo Alto Networks and SonicWall security products. Warnings appeared after installing 3CXDesktopApp versions 18.12.407 and 18.12.416 for Windows, and version 18.11.1213 for Mac.
At the same time, one of the infected images of the 3CX softphone, which fell into the hands of CrowdStrike analysts, was digitally signed more than three weeks ago (March 3, 2023) and has a legitimate 3CX Ltd certificate issued by DigiCert.
Representatives of 3CX have not yet commented on what is happening. At the same time, until recently, the company assured customers who complained about warnings from antivirus products that these were most likely just false positives.