Executive Summary
Deepwatch is aware and responding to numerous outlets reporting a threat actor using an update of 3CXDesktopApp in a supply chain attack to infect victims with an unknown infostealer malware. 3CXDesktopApp is a voice and video conferencing call routing software developed by 3CX. Late on 30 March 2023, the CVE identifier CVE-2023-29059 was assigned due to 3CXDesktopApp containing malicious code.
According to Huntress, SentinelOne, and Trend Micro, the attack chain begins when an organization’s 3CXDesktopApp.exe is updated. This update causes Updater.exe to spawn and download a trojanized MSI package that contains a functional but backdoored ffmpeg.dll. This DLL sideloads d3dcompiler_47.dll, which reaches out to GitHub to download one of 16 ICO files with Base64 data appended to them, which contains an encoded command and control (C2) URL and an unknown infostealer. The final payload waits for seven days before communicating with the hardcoded C2 URL.
The C2 domains and GitHub repository was taken offline, preventing future exploitation of organizations who have not updated yet. However, it is unknown how many organizations downloaded the trojanized update. 3CX recommends organizations uninstall the desktop client for 3CX and encourages organizations to use their Progressive Web App (PWA) app instead.
Key Points
- 3CX Electron Windows App (3CXDesktopApp.exe) shipped in Update 7 contains malicious code that drops an unknown infostealer on organizations.
- Beginning 22 March 2023 SentinelOne began to see a spike in malicious activity associated with 3CXDesktopApp. Seven days later, CrowdStrike began observing malicious activity originating from 3CXDesktopApp.
- 3CX issued a security advisory where they state the issue appears to be one of the bundled libraries that 3CX compiled into the Windows Electron App.
- The C2 domains and GitHub repository were taken offline, preventing future exploitation of organizations who have not updated yet.
- Crowdstrike suspects nation-state involvement by the Democratic People’s Republic of Korea (DPRK) threat actor Labyrinth Chollima. However, no other outlet has corroborated this attribution.
- ATI analyzed our internal data sets for known observables and other indicators of compromise, and added indicators of compromise to our continuous monitoring platform. Any results will be thoroughly reviewed and investigated by ATI and any impacted customers notified.
Overview
Beginning on 22 March 2023, SentinelOne began to see a spike in malicious activity associated with 3CXDesktopApp. According to 3CX, their Electron Windows App versions 18.12.407 and 18.12.416 and Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 (shipped in Update 7), includes a security issue, which appears to be related to one of the bundled libraries that 3CX compiled into the Windows Electron App via GIT. 3CX is still researching the matter.
Seven days later on 29 March 2023, CrowdStrike began observing malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp. CrowdStrike Intelligence has assessed there is suspected nation-state involvement by the threat actor Labyrinth Chollima based on the beacon structure and an encryption key that match those observed in a campaign by Crowdstrike they attributed with high confidence to Labyrinth Chollim. However, Crowdstrike is the only outlet to make an attribution claim and SentinelOne and Sophos are unable to attribute this activity to any known threat activity clusters.
On 30 March 2023, 3CX published a security advisory where they state “this appears to have been a targeted attack from an Advanced Persistent Threat (APT), perhaps even state sponsored, that ran a complex supply chain attack and picked who would be downloading the next stages of their malware. The vast majority of systems, although they had the files dormant, were in fact never infected.” According to the advisory, the issue appears to be one of the bundled libraries that 3CX compiled into the Windows Electron App via GIT and 3CX is still researching the matter.
According to a Shodan search there are over 243,000 publicly exposed 3CX phone management systems. The results show that a large number of organizations are using phone management products from 3CX.
The issue is now tracked as CVE-2023-29059, which was assigned due to the 3CX DesktopApp through 18.12.416 contains embedded malicious code. According to the CVE description, the issue affects versions 18.12.407 and 18.12.416 of the Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the Electron macOS application.
Attack Details
According to Huntress, SentinelOne, and Trend Micro, the attack chain is as follows:
- Organizations with 3CXDesktopApp.exe already deployed were updated beginning around 22 March 2023. This update caused Updater.exe to spawn, downloading an MSI package with trojanized updates.
- Updater.exe invokes the functional, but backdoored ffmpeg.dll, which sideloads d3dcompiler_47.dll, extracting a secondary payload.
- d3dcompiler_47.dll payload is decrypted and waits for 7 days before reaching out to GitHub (https://github[.]com/IconStorages/images) to download one of 16 .ico files.
- These ICO files have Base64 data appended at the end, which is decoded and used to download the final payload, a DLL, which appears to be a previously unknown infostealer, and a command and control URL.
Deepwatch Actions
Using the Threat Intel team’s analysis of open-source reporting, ATI first coordinated with Deepwatch’s Vulnerability Management team to identify existing customers running 3CX Electron Windows App in their environments. Then ATI performed retrospective searches of available process data in non-vulnerability management service customer environments to identify additional customers running 3CX Electron Windows App in their environments.
These actions provided ATI with a base set of data to search against, which ATI analyzed for known observables and other indicators of compromise. Additionally, ATI has added indicators of compromise to our continuous monitoring platform. Any results from these actions will be thoroughly reviewed and investigated by ATI and any impacted customers notified.
Analyst Comment
The GitHub repository was taken offline on 29 March 2023 which prevents future exploitation of organizations who have not updated yet. However, it is unknown how many organizations downloaded the trojanized update. Additionally, 3CX stated that the C2 URLs have been reported, with the majority taken down.
If 3CX confirms the issue is related to one of the bundled libraries that 3CX used and if other vendors used the same bundled library in their products, the total impact will likely be much wider than initially assessed. Additionally, it is unknown if the threat actors still have access to 3CX’s and potentially other vendors supply chain, which would allow them to trojanize future updates.
At this time, ATI can not confirm Crowdstrike’s “suspected” nation-state involvement by the North Korean based threat actor Labyrinth Chollima. No other outlets have not confirmed this attribution and further analysis is underway that will likely lead to a stronger attribution claim. However, according to Huntress, the ffmpeg.dll binary decrypts the secondary payload with a key that, according to other threat intelligence, is known to be attributed to DPRK threat actors.
Recommendations
3CX recommends organizations uninstall the desktop client for 3CX and encourages organizations to use their Progressive Web App (PWA) instead. 3CX is preparing a new release and an update to the 3CXDesktopApp will be available soon.
Organizations can run the following searches for running software matching “3CX” in your vulnerability management solution. Deepwatch Vulnerability Management Service customers have already received a list of affected assets.
- For Tenable Advanced Asset Search, navigate to Explore Overview > Assets – Installed Software is equal to cpe:/a:3cx:*.
- Tenable also released the following Plugin IDs:
- 173712 – 3CX DesktopApp Malware
- 173677 – 3CX Desktop App Installed (Windows)
- 173679 – 3CX Desktop App Installed (macOS)
- Tenable also released the following Plugin IDs:
- For Qualys, searches can be performed in VMDR or Asset View/Global Asset View – software.name:’3cx’.
Be On the Lookout (BOLO)
- Presence of “3CXDesktopApp” in process data that may be indicative of usage of compromised software.
- Shellcode injection alerts relating to “3CXDesktopApp.”
- DNS queries or web traffic or file activity matching the known IOCs listed below.
- 3CXDesktopApp.exe spawning rare/anomalous network connections (Sysmon or EDR).
Observables
GitHub repository hosting malicious ICO files (GitHub repository is no longer accessible):
raw.githubusercontent[.]com/IconStorages/images/main/
The following are the C2 domains decrypted from the ICO files that were hosted on GitHub:
akamaicontainer[.]com
akamaitechcloudservices[.]com
azuredeploystore[.]com
azureonlinecloud[.]com
azureonlinestorage[.]com
dunamistrd[.]com
glcloudservice[.]com
journalide[.]org
msedgepackageinfo[.]com
msstorageazure[.]com
msstorageboxes[.]com
officeaddons[.]com
officestoragebox[.]com
pbxcloudeservices[.]com
pbxphonenetwork[.]com
pbxsources[.]com
qwepoi123098[.]com
sbmsa[.]wiki
sourceslabs[.]com
visualstudiofactory[.]com
Zacharryblogs[.]com
Trojanized MSI Update Packages
File Name: 3cxdesktopapp-18.12.407.msi
SHA256: aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868
File Name: 3cxdesktopapp-18.12.416.msi
SHA256: 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983
Trojanized MSI Package Contents:
File Name: ffmpeg.dll signed by 3CX Ltd
SHA256: c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02
SHA256: 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
File Name: d3dcompiler_47.dll
SHA256: 11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03
Hash of one malicious ICO file:
File Name: icon13.ico
SHA256: 4e08e4ffc699e0a1de4a5225a0b4920933fbb9cf123cde33e1674fde6d61444f
Unknown Infostealer SHA-1 Hash as reported by SentinelOne:
SHA-1: cad1120d91b812acafef7175f949dd1b09c6c21a
Sources
3CX Security Alert
Crowdstrike: CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers
SentinelOne: SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack
Sophos: 3CX users under DLL-sideloading attack: What you need to know
Trend Micro: Developing Story: Information on Attacks Involving 3CX Desktop App
Rapid7: Backdoored 3CXDesktopApp Installer Used in Active Threat Campaign
Huntress: 3CX VoIP Software Compromise & Supply Chain Threats
Shodan Search
Share