Threat Summary
The 3CX DesktopApp is a voice and video conferencing software developed by 3CX - a widely used application, utilized by an estimated 600,000 companies. However, attackers potentially linked to North Korea have trojanized the app's installers for several recent versions, delivering additional information-stealing malware to the victim's computer - the afflicted Windows versions being 18.12.407 and 18.12.416, and the afflicted Mac versions being 8.11.1213 to the latest package available. The attackers compromised the installers, which contain clean versions of the app along with malicious DLLs that sideloaded the malware that led to compromise. The malware contained shellcode and a third DLL that extracts and transmits stolen information to the attackers. Due to the campaign and details of the attack being unfolded and further understood, this malware campaign should be ascertained and prepared for.
Threat Synopsis - 3CX VoIP Supply Chain Attack
The 3CX DesktopApp, a commonly used desktop client for voice and video calling, has been infiltrated with a Trojan by attackers suspected to have links to North Korea. The attackers have altered installers for recent Windows and Mac versions of the software and abused them to deliver malware that could steal information from the victim's computers. By gathering this data, the attackers could determine whether the victim was a potential candidate for further compromise. Researchers suggest that the method utilized in this attack is reminiscent of the notorious SolarWinds attack that affected thousands of organizations.
The attack has been observed to compromise the installer files for two Windows versions (18.12.407 and 18.12.416) and two Mac versions (8.11.1213 to the latest at publication) of the app - with the associated MSI installer downloading the malicious DLL files, which extract an encrypted payload and execute it. more specifically, when downloaded, the clean installers included were exploited to sideload a malicious DLL (named ffmpeg.dll) that installed information-stealing malware on the computer. The DLL contained code that enabled it to execute a payload from a second DLL (named d3dcompiler_47.dll). The decrypted blob contained shellcode and a third DLL (which was seen to sleep for a week before calling out to associated C2 servers), which attempted to download an ICO file (observed as hxxps://raw.githubusercontent[].com/IconStorages/images/main/icon%d.ico) - which contains Base64 encoded strings, that the first-stage malware uses to download a final payload to the compromised devices, a previously unknown information-stealing malware downloaded as a DLL. This new malware has the capability to compromise/steal data, system information and stored credentials from Chrome, Edge, Brave, and Firefox user profiles.