3CX said it’s working on a software update for its desktop app after multiple cybersecurity vendors sounded the alarm on what appears to be an active supply chain attack that’s using digitally signed and rigged installers of the popular voice and video conferencing software to target downstream customers.
“The trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls ICO files appended with Base64 data from GitHub and ultimately leads to a third-stage infostealer DLL,” SentinelOne researchers said.
The cybersecurity firm is tracking the activity under the name SmoothOperator, stating the threat actor registered a massive attack infrastructure as far back as February 2022.
3CX, the company behind 3CXDesktopApp, claims to have more than 600,000 customers and 12 million users in 190 countries, some of which include well-known names like American Express, BMW, Honda, Ikea, Pepsi, and Toyota, among others.
While the 3CX PBX client is available for multiple platforms, telemetry data shows that the attacks observed so far are confined to the Windows Electron client (versions 18.12.407 and 18.12.416) and macOS versions of the PBX phone system.
The infection chain, in a nutshell, takes advantage of the DLL side-loading technique to load a rogue DLL (ffmpeg.dll) that’s designed to retrieve an icon file (ICO) payload. The GitHub repository hosting the file has since been taken down.
The final payload is an information stealer capable of gathering system information and sensitive data stored in Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox browsers.
The macOS sample, according to security researcher Patrick Wardle, carries a valid signature and is notarized by Apple, meaning it can be run without the operating system blocking it.
The malicious app, similar to the Windows counterpart, includes a Mach-O binary named libffmpeg.dylib that’s designed to reach out to an external server pbxsources[.]com to download and execute a file named UpdateAgent. The server is currently offline.
Cybersecurity firm CrowdStrike said it suspects the attack to be linked to a North Korean nation-state actor it tracks as Labyrinth Chollima (aka Nickel Academy), a sub-cluster within the notorious Lazarus Group.
Discover the Hidden Dangers of Third-Party SaaS Apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.
RESERVE YOUR SEAT
“The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity,” CrowdStrike added.
In a forum post, 3CX’s CEO Nick Galea said it’s in the process of issuing a new build over the next few hours, and noted that Android and iOS versions are not impacted. “Unfortunately this happened because of an upstream library we use became infected,” Galea said, without specifying more details.
As a workaround, the company is urging its customers to uninstall the app and install it again, or alternatively use the PWA client.
3CX, in a follow-up update, said the “issue appears to be one of the bundled libraries that we compiled into the Windows Electron app via git” and that it’s further investigating the matter.
(This is a developing story and has been updated with new information about the macOS infection chain.)
Leave a Reply