Triskele Labs Blog

Active Exploitation of 3CX Desktop Application

Written by Nick Morgan | Mar 30, 2023 2:54:04 AM

Date: 30/03/2023

Purpose

The purpose of this alert is to bring attention to a critical vulnerability identified in the popular voice and video conferencing desktop application, 3CXDesktopApp, distributed by 3CX. This zero-day vulnerability was detected by CrowdStrike on 29 March 2023 and as yet has not been assigned a Common Vulnerabilities and Exposures (CVE) identifier. This is a suspected supply chain compromise attack, as over 600,000 companies and 12,000,000 users reportedly utilise this software daily.

Details

CrowdStrike report that they have detected this vulnerability being exploited in-the-wild. The vulnerability affects a legitimate, signed 3CX binary – 3CXDesktopApp. The signed binary has been trojanized – injected with malicious code which performs the first part of a multi-stage attack. When the “.msi” is executed, malicious DLLs will be extracted – these are available on VirusTotal. The next stage involves icon (“.ico”) files being download from Github that contain Base64 encoded strings. The final stage of the malware will then harvest system information such as credentials stored in browsers.

As the legitimate, signed 3CX binary has been compromised, the initial vector of attack is for users to have downloaded the legitimate “.msi” installer from the official 3CX website. For a period of time, this installer has been trojanized. In addition, victims may have installed updates through the client software that resulted in the malicious copy being installed. At the time of writing, the trojanized copy of the “.msi” is still being hosted on the 3CX website – do not download the latest copy until 3CX provide an update.

SentinelOne report that they have observed a spike in behavioural detections relevant to 3CXDesktopApp since 22 March 2023.

This binary is available for Windows, MacOS, Linux and Mobile – at the time of writing, CrowdStrike has observed suspicious activity for Windows and macOS clients.

Cyber Threat Intelligence

Cyber Threat Intelligence (CTI) reports that exploitation of this vulnerability may be associated with a nation-state Threat Actor. CrowdStrike know this Threat Actor as LABYRINTH CHOLLIMA. This Threat Actor is more commonly known throughout the community as Lazarus Group, and have been attributed to the Democratic People’s Republic of Korea (DPRK) (North Korea), specifically, the Reconnaissance General Bureau (RGB). The RGB is a North Korean intelligence agency responsible for spying, covert operations, and cyber espionage. The group has been active since at least 2009 and have been responsible for several high-profile attacks since this time.

Mitigation Actions

At the time of writing, there is no patch available to remediate this flaw. As such, alternative mitigation strategies are critical.

Clients running 3CX software should perform Threat Hunting to ensure there are no Indicators of Compromise (IOCs) present within their environment, as this zero-day vulnerability may have already been exploited.

At the time of writing, the backdoored, trojanized copy of the 3CX MSI is still online and hosted on the 3CX website. Do not update 3CX software. The backdoored versions are known to be:

  • 12.407
  • 12.416
  • 11.1213
  • The latest version on Macs.
If not required, 3CX software should be removed or disabled.

Temporarily blocking at the firewall should be put in place to prevent the 3CX software from updating.

Customers should ensure Endpoint Detection and Response (EDR) agents are deployed to systems running 3CX. These platforms may prevent execution resulting from this attack vector.


Detection & Threat Hunting

The Triskele Labs DefenceShield Security Operations Centre (SOC) are currently performing active Threat Hunting across client environments known to utilise 3CX software to identify IOCs associated with this threat.

If you utilise 3CX software and need assistance, please reach out to Triskele Labs immediately.

CrowdStrike has released IOCs:

SentinelOne has released IOCs:

YARA rules are available for Threat Hunting:

Should Triskele Labs detect malicious activity, clients will be immediately alerted via normal channels.

For any questions, please reach out to the DefenceShield Security Operations Centre or contact Triskele Labs support.

References

References used for the generation of this release: 

https://www.3cx.com/user-manual/installation-windows/
https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/
https://www.virustotal.com/gui/file/7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
https://www.virustotal.com/gui/file/11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03
https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
https://www.crowdstrike.com/adversaries/labyrinth-chollima/
https://docs.rapid7.com/insightidr/lazarus-group/
https://www.bugcrowd.com/glossary/lazarus-group/