An ongoing supply chain attack allegedly uses a digitally signed and trojanized variant of the 3CX Voice Over Internet Protocol (VoIP) desktop client to target the company’s clients.
The 3CX Phone System engineered by the VoIP IPBX software development company 3CX is utilized daily by over 12 million users and over 600,000 companies, including high-profile organizations such as Coca-Cola, McDonald’s, BMW, Honda, Toyota, Mercedes-Benz, IKEA, American Express, and the UK’s National Health Service (who released an alert about the supply chain attack on Thursday)
Details on the Malware
According to cybersecurity researchers, the attackers are targeting Windows and macOS users of the compromised 3CX software app. The malicious activity recorded includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and hands-on keyboard activity.
According to a statement released by 3CX on its blog, the security issue has arisen on their Update 7 for Electron Windows App, version numbers 18.12.407 and 18.12.416, as well as on their Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407, and 18.12.416.
The most common post-exploitation activity observed by researchers so far is the presence of an infostealer that targets the browsers on a compromised system (Chrome, Edge, Brave, Firefox) to harvest system info and steal data and stored credentials.
How the Supply Chain Attack Works?
The supply chain attack starts when the MSI installer is downloaded from the 3CX website or an update is pushed to an already installed desktop application. When the update or the MSI is installed, it will start extracting malicious ffmpeg.ddl and the d3dcompier_47.dll files, used to trigger the next stage of the attack.
The malicious ffmpeg.ddl file will then be sideloaded and used to extract and decrypt an encrypted payload from d3dcomplier_47.dll. The shellcode decrypted from d3dcomplier_47.dll will be executed to download icon files hosted on GitHub (the first one was uploaded on December 7th, 2022) that contain Base64 encoded strings appended to the end of the images.
The Base64 strings are used by the malware to download a final payload to the compromised machines, an information-stealing malware downloaded as a DLL, previously unknown by researchers.
3CX’s CEO and CISO Address the Situation
3CX’s CEO, Nick Galea, addressed the issue in the company’s forums.
As many of you have noticed the 3CX DesktopApp has a malware in it. It affects the Windows Electron client for customers running update 7. It was reported to us yesterday night and we are working on an update to the DesktopApp which we will release in the coming hours.
Nick Galea, 3CX CEO (Source)
Galea recommended uninstalling the app (if you are running Windows Defender, its going to be uninstalled automatically) and using their PWA client (which is completely web-based and does 95% of what the Electron app does) instead until a new build is released.
Pierre Jourdan, 3CX’s CISO, announced that the domains contacted by the compromised library have already been reported and the majority of them have been taken down already. A GitHub repository has also been shut down, effectively rendering it harmless.
Jourdan also mentioned that the attack appears to have been targeted from an Advanced Persistent Threat, “perhaps even state-sponsored”.
3CX is working on a new Windows App that does not have the issue and they’ve also decided to issue a new certificate for the app.
3CX apologizes profusely for what occurred and is doing everything to make up for the error.
Heimdal®’s Threat Prevention Module Is Already Blocking the Vulnerability
Heimdal®’s solution can protect your company against this attack and similar vulnerabilities by using a layered approach, disrupting the connection. Heimdal®’s Threat Prevention module is already blocking the command and control (C2) access to DNS servers, so even the 3CX apps which may be vulnerable are not able to connect to complete the attack.
Heimdal®’s Threat Prevention Endpoint and Threat Prevention Network are the ultimate extra layers in any cybersecurity stack and can protect against all attacks that require DNS communication (which 91,3% of malware currently does).
Also, by using our Patch & Asset Management solution you can uninstall the application and block it from being installed if this is your preferred route.
Antivirus is no longer enough to keep an organization’s systems secure.
Heimdal® Threat Prevention
– Endpoint
Is our next gen proactive shield that stops unknown
threats before they reach your system.
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
If you liked this post, you will enjoy our newsletter.
Get cybersecurity updates you’ll actually want to read directly in your inbox.
