A recent compromise has caused trojanized versions of the 3CXDesktopApp executable to be distributed on 3CX’s website as well as pushed through updates. The malicious version of the 3CX application is used to sideload malicious .DLL files. These .DLL files will eventually stage an information stealing malware that can harvest system information as well as credentials stored within the user’s browser. The stolen credentials can be used to access a user’s accounts and harvest sensitive data. Barracuda SOC recommends installing endpoint protection on all endpoints and ensure it is active.
What is the threat?
The trojanized version of 3CXDesktopApp is installed via the MSI installer hosted on 3CX’s website or when an update is installed from an existing installation. The trojan will then extract a malicious version of ffmpeg.dll and d3dcompiler_47.dll, which will be used to download icon files from GitHub containing a Base64 payload. The Base64 strings are then decoded to download an information stealing malware. This malware gathers system information and browser information including browser history and stored credentials from Chrome, Edge, Firefox, and Brave.
Why is it noteworthy?
3CX is a business communications platform that is used globally. With the trojan being present in signed binaries hosted on the official 3CX website and being pushed through updates, this malware has the potential to be both widespread and difficult to detect. The malware is suspected by CrowdStrike to be related to the North Korean threat actor Labyrinth Chollima, however there is no definitive evidence of this yet.
What is the exposure or risk?
If the user’s login credentials are stored within the browser, this malware has potential to gain access to many of the user’s accounts, including personal information and proprietary company information. The accounts can also be used to stage phishing attacks on users not affected by the initial attack.
What are the recommendations?
Barracuda SOC recommends the following actions to limit the impact of the 3CX malware:
- Ensure endpoint protection is installed and active on all your endpoints. SentinelOne and CrowdStrike have both been shown to effectively mitigate this malware.
- If 3CX has been added as an exclusion in your endpoint protection, remove the exclusion. Exclusions can reduce the monitoring level of processes and potentially cause the threat to be missed.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.