Posted on March 28, 2023 at 8:27 PM
3CX customers in danger after a recent supply chain attack compromised the firm’s desktop app
According to recent reports, 3CX has recently been hit by a supply chain attack, which is actually still ongoing. However, the attackers also created a digitally signed and trojanized version of the company’s VOIP (Voice Over Internet Protocol) desktop app, which is now being used against the firm’s clients.
3CX is a well-known VOIP IPBX software development firm. It has developed a 3CX Phone System, which is currently being used by over 600,000 companies around the world. The system also claims to have over 12 million daily users.
As mentioned, the company has hundreds of thousands of other firms among its users, some of which include BMW, Coca-Cola, Toyota, American Express, IKEA, McDonald’s, Honda, Mercedes-Benz, AirFrance, HollidayInn, and many others. This led some major security companies to look into attack, including CrowdStrike and Sophos.
After examining the situation, CrowdStrike said that the malicious activity includes beaconing to actor-controlled infrastructure, followed by the deployment of second-stage payloads. In some cases, there is even hands-on-keyboard activity, although this is only a small number of cases. Sophos’ team also commented, noting that the most common post-exploitation activity observed to date is the spawning of an interactive command shell.
CrowdStrike believes that the attacker might be Labyrinth Collima — a state-backed hacking group that operates from North Korea. Meanwhile, Sophos’ researchers said that they could not confirm this conclusion with high confidence. So far, Labyrinth Collima has had operations that have overlapped with other well-known hacking teams, including the Lazarus Group, Covellite, UNC4034, Nickel Academy, and Zinc.
Each of these groups is being tracked by major security firms, and CrowdStrike itself said that it has an in-depth analytic process when it comes to naming conventions of adversaries. With that said, Labyrint Chollima is a subset of the Lazarus Group. However, it also includes other DPRK-nexus adversaries, such as Stardust Chollima and Silent Chollima.
According to reports from Sophos and SentinelOne, there is a trojanized 3CX desktop app that is being downloaded in a supply chain attack. The attack was named SmoothOperator, and it starts with the MSI installer which gets downloaded from 3CX’s website, or if the client already has the app installed, a new update can also lead to the start of the attack.
After MSI gets installed on the device, it extracts malicious files, which then conduct the second stage of the attack. According to Sophos, the 3CXDesktopApp.exe itself is not malicious. However, it is followed by other malicious files, including ffmpeg.dll and d3dcompiler_47.dll, which get sideloaded. They then extract an encrypted payload from d2dcompiler_47, and execute it, leading to the third stage.
At this point, the malware downloads icon files hosted on GitHub, which contain Base64 encoded strings. This repository is also where the icons are stored, and it shows that the first icon was uploaded back on December 7th of last year.
The first-stage malware uses Base64 strings for downloading the final payload, which is an information-stealing malware that was never seen before this attack. It also gets downloaded in the form of a DLL, and it is capable of harvesting system data and stealing credentials from web browsers. It works against Chrome, Firefox, Edge, and even the crypto-powered privacy browser Brave.
SentinelOne said that its team still cannot confirm that the Mac installer is trojanized as well, but their investigation includes additional applications, such as the Chrome extension, which might also be misused by the hackers to stage attacks.
CrowdStrike noted that the trojanized app would connect to one of the numerous domains controlled by the attacker. Some of the customers have reported a few domains that they witnessed the software connect to, including azureonlinestorage[.]com, msstorageboxes[.]com, and msstorageazure[.]com.
A number of other customers have said that they have received alerts, starting about a week earlier, on March 22nd. The alerts said that the app was marked as malicious by a number of security companies.