3CX Desktop App users compromised in a supply chain attack
After several cybersecurity companies raised the alarm about what appears to be an ongoing supply chain attack using fraudulently installed versions of popular voice and video conferencing software that are digitally signed, 3CX announced that it is developing an update for its desktop app.
The first step in a multi-stage attack chain that pulls ICO files from GitHub appended with Base64 data and eventually leads to a third-stage infostealer DLL, according to SentinelOne researchers, is the trojanized 3CX desktop app.
A massive attack infrastructure was registered by the threat actor as far back as February 2022, according to the cybersecurity company that is monitoring the activity under the handle SmoothOperator.
The company that created the 3CXDesktopApp, 3CX, asserts to have more than 600,000 clients and 12 million users across 190 nations, including household brands like American Express, BMW, Honda, Ikea, Pepsi, and Toyota.
Although the 3CX PBX client is available for a variety of operating systems, Sophos pointed out that the attacks so far have only been detected on the Windows Electron client of the PBX phone system, citing telemetry data.
In a nutshell, the infection chain uses the DLL side-loading technique to load the malicious DLL ffmpeg.dll, which is intended to retrieve an icon file (ICO) payload. The file was previously deleted from the GitHub repository.
The information thief is able to access sensitive data stored in Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox browsers as well as system information.
The notorious Lazarus Group sub-cluster Labyrinth Chollima (also known as Nickel Academy), which CrowdStrike tracks as a North Korean nation-state actor, is suspected of being behind the attack, according to the cybersecurity firm.
CrowdStrike stated, “The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a few rare instances, hands-on-keyboard activity.
The CEO of 3CX, Nick Galea, stated in a forum post that a new build will be released within the next few hours, noting that iOS and Android versions are unaffected. Galea said, without going into further detail, “Unfortunately this happened because an upstream library we use became infected.” In the interim, the company advises users to either use the PWA client or uninstall the app and reinstall it.