Heimdal
article featured image

Contents:

An ongoing supply chain attack allegedly uses a digitally signed and trojanized variant of the 3CX Voice Over Internet Protocol (VoIP) desktop client to target the company’s clients.

The 3CX Phone System engineered by the VoIP IPBX software development company 3CX is utilized daily by over 12 million users and over 600,000 companies, including high-profile organizations such as Coca-Cola, McDonald’s, BMW, Honda, Toyota, Mercedes-Benz, IKEA, American Express, and the UK’s National Health Service (who released an alert about the supply chain attack on Thursday)

Details on the Malware

According to cybersecurity researchers, the attackers are targeting Windows and macOS users of the compromised 3CX software app. The malicious activity recorded includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and hands-on keyboard activity.

According to a statement released by 3CX on its blog, the security issue has arisen on their Update 7 for Electron Windows App, version numbers 18.12.407 and 18.12.416, as well as on their Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407, and 18.12.416.

The most common post-exploitation activity observed by researchers so far is the presence of an infostealer that targets the browsers on a compromised system (Chrome, Edge, Brave, Firefox) to harvest system info and steal data and stored credentials.

How the Supply Chain Attack Works?

The supply chain attack starts when the MSI installer is downloaded from the 3CX website or an update is pushed to an already installed desktop application. When the update or the MSI is installed, it will start extracting malicious ffmpeg.ddl and the d3dcompier_47.dll files, used to trigger the next stage of the attack.

The malicious ffmpeg.ddl file will then be sideloaded and used to extract and decrypt an encrypted payload from d3dcomplier_47.dll. The shellcode decrypted from d3dcomplier_47.dll will be executed to download icon files hosted on GitHub (the first one was uploaded on December 7th, 2022) that contain Base64 encoded strings appended to the end of the images.

The Base64 strings are used by the malware to download a final payload to the compromised machines, an information-stealing malware downloaded as a DLL, previously unknown by researchers.

3CX’s CEO and CISO Address the Situation

3CX’s CEO, Nick Galea, addressed the issue in the company’s forums.

As many of you have noticed the 3CX DesktopApp has a malware in it. It affects the Windows Electron client for customers running update 7. It was reported to us yesterday night and we are working on an update to the DesktopApp which we will release in the coming hours.

Nick Galea, 3CX CEO (Source)

Galea recommended uninstalling the app (if you are running Windows Defender, its going to be uninstalled automatically) and using their PWA client (which is completely web-based and does 95% of what the Electron app does) instead until a new build is released.

Pierre Jourdan, 3CX’s CISO, announced that the domains contacted by the compromised library have already been reported and the majority of them have been taken down already. A GitHub repository has also been shut down, effectively rendering it harmless.

Jourdan also mentioned that the attack appears to have been targeted from an Advanced Persistent Threat, “perhaps even state-sponsored”.

3CX is working on a new Windows App that does not have the issue and they’ve also decided to issue a new certificate for the app.

3CX apologizes profusely for what occurred and is doing everything to make up for the error.

Update: 3CX Confirms that North Korean Threat Actors are Behind the Supply Chain Attack

Investigations have been ongoing since the incident, but 3CX confirms that a North Korean hacking group was behind the cyberattack.

Based on the Mandiant investigation into the 3CX intrusion and supply chain attack thus far, they attribute the activity to a cluster named UNC4736. Mandiant assesses with high confidence that UNC4736 has a North Korean nexus.

Pierre Jourdan, 3CX CISO (Source)

The attackers infected the company’s systems with a malware known as Taxhaul (aka TxRLoader), which deployed Coldcat, a second-stage malware downloader.

It was more difficult to identify the malware since it was able to remain on infected systems by side-loading legitimate Microsoft Windows programs with DLLs. Moreover, the malware automatically loaded during system start-up on all the devices it infected, granting the attackers remote access over the internet.

The attack also backdoored macOS systems with malware called Simplesea, which Mandiant is presently investigating to see whether it is related to any known malware families.

Supported backdoor commands include shell command execution, file transfer, file execution, file management, and configuration updating. It can also be tasked to test the connectivity of a provided IP and port number.

Pierre Jourdan, 3CX CISO (Source)

The malware deployed by the North Korean group connected to multiple command-and-control (C2) servers, including:

  • azureonlinecloud[.]com
  • akamaicontainer[.]com
  • journalide[.]org
  • msboxonline[.]com

3CX has yet to clarify how the supply chain attack was launched in the first place, whether through a compromised development environment or another means.

Heimdal®’s Threat Prevention Module Is Already Blocking the Vulnerability

Heimdal®’s solution can protect your company against this attack and similar vulnerabilities by using a layered approach, disrupting the connection. Heimdal®’s Threat Prevention module is already blocking the command and control (C2) access to DNS servers, so even the 3CX apps which may be vulnerable are not able to connect to complete the attack.

Heimdal®’s Threat Prevention Endpoint and Threat Prevention Network are the ultimate extra layers in any cybersecurity stack and can protect against all attacks that require DNS communication (which 91,3% of malware currently does).

Also, by using our Patch & Asset Management solution you can uninstall the application and block it from being installed if this is your preferred route.

Heimdal Official Logo
Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal® DNS Security Solution

Is our next gen proactive DNS-Layer security that stops unknown threats before they reach your endpoints.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE