Trojanized versions of the 3CX desktop app (VOIP) are being used in an ongoing supply chain attack.
Working with other researchers in the industry, WithSecure Threat Intelligence were able to ascertain that it was almost certain that later versions of 3CX's desktop VOIP application had been compromised by an actor prior to the build process, resulting in poisoned, yet trusted, installer files being pushed to customers.
The attack impacts a 3CX VOIP application and affects organizations all over the world. WithSecure Intelligence researchers have observed affected organizations in several different countries, including but not limited to France, Germany, the Netherlands, the UK, and the US.
The attack has been ongoing since early February. According to telemetry analyzed by WithSecure Intelligence, a compromised version of the macOS-based installer was seen in early Feb 2023, while Windows-based installers were seen trending in mid-March 2023.
What WithSecure can do to help customers
Our various solutions can help mitigate and detect issues with the 3CX Desktop App security incident.
WithSecure™ Elements Endpoint Detection and Response and WithSecure™ Countercept Managed Detection and Response detect the trojanized versions of the application and subsequent DLLs, and it will generate detections which the Security Administrator can act on.
EDR detections to look at:
• 3cx Malicious Module Loaded
• Malicious Module by ORSP
Use Event Search with following queries:
"Loaded Module SHA-1" equals
WithSecure Endpoint Protection solutions can also detect activity related to this:
EPP detections to monitor:
Uninstall the following affected version of 3CX Desktop App
• '18.12.407' - Windows
• '18.12.416' - Windows
• '18.11.1213'- MAC
• '18.12.416'- MAC
WithSecure Endpoint Protection will flag and quarantine the malicious applications and DLLs. Upon detections it is recommended for users to uninstall the application manually.
Optional Patch Recommendation
WithSecure Intelligence researchers have analyzed the malicious DLLs and discovered that some of the files contain modified signature blob value. This allows the modified DLL to be shown as signed in Windows. Threat actors have achieved this by exploiting a known vulnerability CVE-2013-3900.
In addition to the provided mitigation and remediation steps, it is recommended to install the optional patch available for this vulnerability:
Malicious DLLs sideloaded by 3CXDesktopApp.exe:
92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61, 3CX Desktop App
b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb, 3CX Desktop App
Malicious MACOS DLLs:
'18.12.407' - Windows
'18.12.416' - Windows
'18.11.1213' - MAC
'18.12.416' - MAC
WHOIS records for related domains:
Related links (external):