March 30, 2023
3CX Desktop App Was Compromised in a Supply Chain Attack
Several security firms have recently discovered unexpected malicious activity emanating from the legitimate, signed binary, softphone application 3CXDesktopApp from 3CX.
Malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and in a few cases, hands-on-keyboard activity.
This supply chain attack begins when the MSI installer is downloaded from the 3CX website or a desktop application update is applied.
Two malicious DLL files ffmpeg.dll and d3dcompiler_47.dll are extracted when the MSI or update is installed and are used to execute out the next stage of the attack.
- 3CXDesktopApp for Windows and Mac versions – 18.11.1213, 18.12.402, 18.12.407 & 18.12.416.
Mitigation & Detection
- According to the 3CX statement, since there is no software update yet, their suggestion is to remove the desktop app and the RC client and instead use the PWA client as a temporary alternative.
- Additionally, CYREBRO intelligence team strongly recommends to review and implement the following indicators of compromise in relevant security systems.
The campaign is being monitored, and we will provide updates if any significant developments arise.
References: SentinelOne Report.