3CX said it's working on a software update for its desktop app after multiple cybersecurity vendors sounded the alarm on what appears to be an active supply chain attack that's using digitally signed and rigged installers of the popular voice and video conferencing software to target downstream customers.
"The trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls ICO files appended with Base64 data from GitHub and ultimately leads to a third-stage infostealer DLL," SentinelOne researchers said.
The cybersecurity firm is tracking the activity under the name SmoothOperator, stating the threat actor registered a massive attack infrastructure as far back as February 2022. There are indications that the attack may have commenced around March 22, 2023.
3CX, the company behind 3CXDesktopApp, claims to have more than 600,000 customers and 12 million users in 190 countries, some of which include well-known names like American Express, BMW, Honda, Ikea, Pepsi, and Toyota, among others.
While the 3CX PBX client is available for multiple platforms, telemetry data shows that the attacks observed so far are confined to the Windows Electron client (versions 18.12.407 and 18.12.416) and macOS versions of the PBX phone system.
The infection chain, in a nutshell, takes advantage of the DLL side-loading technique to load a rogue DLL (ffmpeg.dll) that's designed to retrieve an icon file (ICO) payload. The GitHub repository hosting the file has since been taken down.
The final payload is an information stealer capable of gathering system information and sensitive data stored in Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox browsers.
The macOS sample (a 381 MB file), according to security researcher Patrick Wardle, carries a valid signature and is notarized by Apple, meaning it can be run without the operating system blocking it.
The malicious app, similar to the Windows counterpart, includes a Mach-O binary named libffmpeg.dylib that's designed to reach out to an external server "pbxsources[.]com" to download and execute a file named UpdateAgent. The server is currently offline.
Huntress reported that there are 242,519 publicly exposed 3CX phone management systems. Broadcom-owned Symantec, in its own advisory, said "the information gathered by this malware presumably allowed the attackers to gauge if the victim was a candidate for further compromise."
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
"Due to its widespread use and its importance in an organization's communication system, threat actors can cause major damage (for example, by monitoring or rerouting both internal and external communication) to businesses that use this software," Trend Micro said.
Cybersecurity firm CrowdStrike said it's attributing the attack with high confidence to a North Korean nation-state actor it tracks as Labyrinth Chollima (aka Nickel Academy), a sub-cluster within the notorious Lazarus Group.
"The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity," CrowdStrike added.
In a forum post, 3CX's CEO Nick Galea said it's in the process of issuing a new build over the next few hours, and noted that Android and iOS versions are not impacted. "Unfortunately this happened because of an upstream library we use became infected," Galea said, without specifying more details.
As a workaround, the company is urging its customers to uninstall the app and install it again, or alternatively use the PWA client.
3CX, in a follow-up update, said the "issue appears to be one of the bundled libraries that we compiled into the Windows Electron app via git" and that it's further investigating the matter.
(This is a developing story and has been updated with new information about the macOS infection chain.)