Context
On March 29, 2023, multiple cybersecurity firms began reporting that 3CXDesktopApp, a Voice Over Internet Protocol (VOIP) Private Automatic Branch Exchange (PABX) enterprise call routing software, is currently compromised in a supply chain attack. Multiple investigations have reported that an unknown threat actor has trojanized installers for 3CXDesktopApp, to install an information stealing malware. Multiple reports indicate that the attack is targeting Windows and macOS users of the application.
Attribution Note: VXUnderground publicly attributed the attack to the Lazarus Group, and CrowdStrike suspects a threat actor they track as Labrynth Collima which overlaps with Lazarus activity, but this is as yet unconfirmed and most investigation reports into the incident do not currently list confident attribution.
Community Impact
3CX CEO Nick Galea confirmed Thursday morning in a forum post that the 3CX Desktop application was compromised to include malware and is recommending all customers uninstall the desktop app and switch to the PWA client instead.
According to Sentinel One researchers, 3CXDesktopApp has more than 600,000 customer companies and more than 12 million daily users.
Technical Details
SentinelOne indicated in their report that they began blocking campaign activity in the last week. Key takeaways from their technical analysis of the campaign include:
- The trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from Github and ultimately leads to a 3rd stage infostealer DLL.
- The compromise includes a code signing certificate used to sign the trojanized binaries.
- The threat actor has registered a sprawling set of infrastructure starting as early as February 2022.
IOCs
SentinelOne and Crowdstrike researchers provided the following indicators of compromise (IOCs):
Indicator | Type | Notes |
github[.]com/IconStorages/images | URL | SentinelOne |
cliego.garcia@proton[.]me | SentinelOne | |
philip.je@proton[.]me | SentinelOne | |
cad1120d91b812acafef7175f94 | SHA-1 | SentinelOne |
bf939c9c261d27ee7bb92325cc | SHA-1 | SentinelOne |
20d554a80d759c50d6537dd7097 | SHA-1 | SentinelOne |
https://www.3cx[.]com/blog/ | URI | SentinelOne |
https://akamaitechcloudservices[.] | URI | SentinelOne |
https://azureonlinestorage[.]com/ | URI | SentinelOne |
https://msedgepackageinfo[.]com/ | URI | SentinelOne |
https://glcloudservice[.]com/v1/ | URI | SentinelOne |
https://pbxsources[.]com/exchange | URI | SentinelOne |
https://msstorageazure[.]com/ | URI | SentinelOne |
https://officestoragebox[.]com/api/ | URI | SentinelOne |
https://visualstudiofactory[.]com/ | URI | SentinelOne |
https://azuredeploystore[.]com/ | URI | SentinelOne |
https://msstorageboxes[.]com/office | URI | SentinelOne |
https://officeaddons[.]com/ | URI | SentinelOne |
https://sourceslabs[.]com/ | URI | SentinelOne |
https://zacharryblogs[.]com/feed | URI | SentinelOne |
https://pbxcloudeservices[.]com/ | URI | SentinelOne |
https://pbxphonenetwork[.]com/ | URI | SentinelOne |
https://msedgeupdate[.]net/ | URI | SentinelOne |
dde03348075512796241389dfea | SHA256 | CrowdStrike |
fad482ded2e25ce9e1dd3d3ecc3 | SHA256 | CrowdStrike |
92005051ae314d61074ed94a52 | SHA256 | CrowdStrike |
b86c695822013483fa4e2dfdf712c5 | SHA256 | CrowdStrike |
aa124a4b4df12b34e74ee7f6c683 | SHA256 | CrowdStrike |
59e1edf4d82fae4978e97512b033 | SHA256 | CrowdStrike |
5407cda7d3a75e7b1e030b1f3333 | SHA256 | CrowdStrike |
e6bbc33815b9f20b0cf832d7401d | SHA256 | CrowdStrike |
3cxdesktopapp-latest[.]dmg | File Name | CrowdStrike |
3cxdesktopapp-18[.]12[.]407[.]msi | File Name | CrowdStrike |
3cxdesktopapp-18[.]12[.]416[.]msi | File Name | CrowdStrike |
3CXDesktopApp-18[.]11[.]1213[.] | File Name | CrowdStrike |
