3CX Supply Chain Attack 01 April 2023

78/2023
Critical
April 1, 2023
10:00 am

In March 2023, security researchers uncovered a sophisticated supply chain attack that employed a trojanized version of the 3CX VoIP desktop client. This attack specifically targeted the clients of 3CX, representing a significant threat to the security of businesses that rely on this popular communication software.

3CX is a widely-used communication software that offers a range of features, including video conferencing, call management, and live chat. With over 600,000 businesses and 12 million daily users across the globe.

The Tactics and Techniques of 3CX Supply Chain Attack:

• The attack starts with a trojanized version of MSI package installer which drops 3 files “3CXDesktopApp.exe”, ”ffmpeg.dll” and “d3dcompiler_47.dll”.

• Upon Execution of “3CXDesktopApp.exe”, a malicious DLL file loaded “ffmpeg.dll” which was used to read, load, and execute a malicious shellcode from an encrypted file “d3dcompiler_47.dll”.

• Upon decryption of “d3dcompiler_47.dll” using RC4 with the key, 3jB(2bsG#@c7, the shellcode will access a GitHub repository that contains the ICO files containing the encrypted C&C strings that use Base64 encoding and AES + GCM encryption at the end of the image.

• The encrypted C&C strings found in the ICO files accessed by the shellcode are domains for the shellcode to connect to and download additional payloads.

However, the contents of these payloads could not be confirmed as the GitHub repository had been removed by the time of analysis.

• The Windows version exhibits the aforementioned behavior, whereas the Mac version displays similar characteristics but utilizes only a portion of the C&C domains employed by the Windows version.

Indicators of Compromise

Indicators of compromise will be shared with EG-FinCIRT’s Constituents

Mitigations

If 3CX software is used in your esteemed organization, please follow the below mitigations:

• 3CX has posted an update that recommends uninstalling the desktop client app on windows and mac and using the Progressive Web App (PWA) client instead.

• Search for existing signs of the indicated IOCs in your environment.

• Block all URL and IP-based IOCs at the organization’s security devices.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Indicators of Compromise

Mitigations

References