Pierluigi Paganini
March 30, 2023
As of Mar 22, 2023, SentinelOne observed a spike in behavioral detections of the 3CXDesktopApp, which is a popular voice and video conferencing software product.
The products from multiple cybersecurity vendors started detecting the popular software as malware suggesting that the company has suffered a supply chain attack.
SentinelOne is tracking the malicious activity as SmoothOperator, the company speculates that the threat actor behind the attack has set up its infrastructure starting as early as February 2022.
The company started distributing digitally signed Trojanized installers to its customers
“The trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from Github and ultimately leads to a 3rd stage infostealer DLL still being analyzed as of the time of writing.” reads the analysis published by SentinelOne.
“At this time, we cannot confirm that the Mac installer is similarly trojanized. Our ongoing investigation includes additional applications like the Chrome extension that could also be used to stage attacks.”
The impact of the attack could be devastating because the company claims that 3CX has 600,000 customer companies with 12 million daily users. The software is used by organizations in almost every industry, including automotive, food & beverage, hospitality, Managed Information Technology Service Provider (MSP), and manufacturing.
3CX confirmed that the problem only affects the Windows Electron client for customers running update 7, it is working on an update to the DesktopApp. The company recommends uninstalling the app and then installing it again.
“Unfortunately the rumors are true. Please uninstall the client. And we will have a new one in the next few hours via updates. The updating probably wont work because Windows Defender will flag it.” explained 3CX’s CEO Nick Galea. “Unfortunately this happened because of an upstream library we use became infected.”
The trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain, the installers retrieve ICO files appended with base64 data from Github and ultimately leading to the deployment of 3rd stage information stealer. The info stealer collects system information and gathers browser information from Chrome, Edge, Brave, and Firefox browsers. The malware can gather querying browsing history and data from the Places table for Firefox-based browsers and the History table for Chrome-based browsers.
The popular researcher Patrick Wardle analyzed the macOS version of the installer and confirmed it is a trojanized version using a valid signature. The researchers discovered that the malicious libffmpeg.dylib downloads a second-state malware from a remote server and executes a file named UpdateAgent.
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:
You can nominate yourself or your favourite blogger. We ask that you provide a brief paragraph of 250 words explaining why they should win.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, 3CX)
