Information on Attacks Involving 3CX Desktop App
Note: This is a developing story and will be updated as needed.
In late March 2023, security researchers revealed that threat actors abused a popular business communication software from 3CX — in particular, the reports mention that a version of the 3CX VoIP (Voice over Internet Protocol) desktop client was being employed to target 3CX’s customers as part of an attack.
On its forums, 3CX has posted an update that recommends uninstalling the desktop app and using the Progressive Web App (PWA) client instead. The company also mentioned that they are working on an update to the desktop app.
Meanwhile, the GitHub page used for staging the attack (raw.githubusercontent[.]com/IconStorages/images/main/) has been taken down as of the time of writing. Note that the process exits when the page is unaccessible.
The 3CX app is a private automatic branch exchange (PABX) software that provides several communication functions for its users, including video conferencing, live chat, and call management. The app is available on most major operating systems, including Windows, macOS, and Linux. Additionally, the client is available as a mobile application for both Android and iOS devices, while a Chrome extension and the PWA version of the client allow users to access the software through their browsers.
According to the company’s website, more than 600,000 businesses and over 12 million daily users around the world use 3CX’s VoIP IPBX software.
How does the attack work?
The attack is reportedly a multi-stage chain in which the initial step involves a compromised version of the 3CX desktop app. Based on initial analysis, the MSI package is the one that is compromised with possible trojanized DLLs, since the .exe file has the same name.
The infection chain begins with 3CXDesktopApp.exe loading ffmpeg.dll. Next, ffmpeg.dll reads and decrypts the encrypted code from d3dcompiler_47.dll. The decrypted code seems to be the backdoor payload that tries to access the IconStorages GiHub page to access an .ico file containing the encrypted command-and-control (C&C) server that the backdoor connects to in order to retrieve the possible final payload.
As part of its attack routine, it contacts the servers noted in the list of indicators of compromise (IOCs) at the end of this blog entry.
It seems that the final stage has information-stealing functionality. The malware can extract system information and hijack both data and stored login credentials from user profiles on Chrome, Edge, Brave, and Firefox web browsers.
What is its potential impact?
Due to its widespread use and its importance in an organization’s communication system, threat actors can cause major damage (for example, by monitoring or rerouting both internal and external communication) to businesses that use this software.
What can organizations do about it?
Organizations that are potentially affected should stop using the vulnerable version if possible and apply the patches or mitigation workarounds if these are available. IT and security teams should also scan for confirmed compromised binaries and builds and monitor for anomalous behavior in 3CX processes, with a particular focus on command-and-control (C&C) traffic.
Meanwhile, enabling behavioral monitoring in security products can help detect the presence of the attack within the system.
Indicators of Compromise (IOCs)