A recent compromise has caused trojanized versions of the 3CXDesktopApp executable to be distributed on 3CX’s website as well as pushed through updates. The malicious version of the 3CX application is used to sideload malicious .DLL files. These .DLL files will eventually stage an information stealing malware that can harvest system information as well as credentials stored within the user’s browser. The stolen credentials can be used to access a user’s accounts and harvest sensitive data. Barracuda SOC recommends installing endpoint protection on all endpoints and ensure it is active.
What is the threat?
The trojanized version of 3CXDesktopApp is installed via the MSI installer hosted on 3CX’s website or when an update is installed from an existing installation. The trojan will then extract a malicious version of ffmpeg.dll and d3dcompiler_47.dll, which will be used to download icon files from GitHub containing a Base64 payload. The Base64 strings are then decoded to download an information stealing malware. This malware gathers system information and browser information including browser history and stored credentials from Chrome, Edge, Firefox, and Brave.
Why is it noteworthy?
3CX is a business communications platform that is used globally. With the trojan being present in signed binaries hosted on the official 3CX website and being pushed through updates, this malware has the potential to be both widespread and difficult to detect. The malware is suspected by CrowdStrike to be related to the North Korean threat actor Labyrinth Chollima, however there is no definitive evidence of this yet.
What is the exposure or risk?
If the user’s login credentials are stored within the browser, this malware has potential to gain access to many of the user’s accounts, including personal information and proprietary company information. The accounts can also be used to stage phishing attacks on users not affected by the initial attack.
What are the recommendations?
Barracuda SOC recommends the following actions to limit the impact of the 3CX malware:
- Ensure endpoint protection is installed and active on all your endpoints. SentinelOne and CrowdStrike have both been shown to effectively mitigate this malware.
- If 3CX has been added as an exclusion in your endpoint protection, remove the exclusion. Exclusions can reduce the monitoring level of processes and potentially cause the threat to be missed.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.
This is great, proactive info, thank you for sharing!
Great article, thank you
yup, know a friend dealing with the issue as we speak
Informative article. Thanks!
Never heard of 3CXDesktopApp prior to today. Thank you for sharing this information.
Thanks for sharing.
This is not good at all, especially since 3CX has not released any further public information regarding the security event since April 1st.
Just one more reason to make sure users don’t have admin rights to download their own updates, and that IT teams should treat all files as untrusted, regardless of their source.
Being a 3CX reseller, we were informed before this post; but still, i applaud this initiative to widely share threat intel. The more people are informed and aware, the less impact a threat will have.
Always happy to get posts like. very informative.
This was a nasty one and we were lucky not to deploy that particular version of 3CX. It seems that tactics with delaying updates do pay off. But, we cannot rely on that for protection. Issues like this should not happen. However, unfortunately, I expect they will actually become more frequent.