Customer Advisory | 3CX Suffers Supply Chain Attack: Electron Windows App Drops an Unknown Infostealer

Executive Summary

Deepwatch is aware and responding to numerous outlets reporting a threat actor using an update of 3CXDesktopApp in a supply chain attack to infect victims with an unknown infostealer malware. 3CXDesktopApp is a voice and video conferencing call routing software developed by 3CX. Late on 30 March 2023, the CVE identifier CVE-2023-29059 was assigned due to 3CXDesktopApp containing malicious code.

According to Huntress, SentinelOne, and Trend Micro, the attack chain begins when an organization’s 3CXDesktopApp.exe is updated. This update causes Updater.exe to spawn and download a trojanized MSI package that contains a functional but backdoored ffmpeg.dll. This DLL sideloads d3dcompiler_47.dll, which reaches out to GitHub to download one of 16 ICO files with Base64 data appended to them, which contains an encoded command and control (C2) URL and an unknown infostealer. The final payload waits for seven days before communicating with the hardcoded C2 URL.

The C2 domains and GitHub repository was taken offline, preventing future exploitation of organizations who have not updated yet. However, it is unknown how many organizations downloaded the trojanized update. 3CX recommends organizations uninstall the desktop client for 3CX and encourages organizations to use their Progressive Web App (PWA) app instead.

Key Points

• 3CX Electron Windows App (3CXDesktopApp.exe) shipped in Update 7 contains malicious code that drops an unknown infostealer on organizations.
• Beginning 22 March 2023 SentinelOne began to see a spike in malicious activity associated with 3CXDesktopApp. Seven days later, CrowdStrike began observing malicious activity originating from 3CXDesktopApp.
• 3CX issued a security advisory where they state the issue appears to be one of the bundled libraries that 3CX compiled into the Windows Electron App.
• The C2 domains and GitHub repository were taken offline, preventing future exploitation of organizations who have not updated yet.
• Crowdstrike suspects nation-state involvement by the Democratic People’s Republic of Korea (DPRK) threat actor Labyrinth Chollima. However, no other outlet has corroborated this attribution.  
• ATI analyzed our internal data sets for known observables and other indicators of compromise, and added indicators of compromise to our continuous monitoring platform. Any results will be thoroughly reviewed and investigated by ATI and any impacted customers notified.

Overview

Beginning on 22 March 2023, SentinelOne began to see a spike in malicious activity associated with 3CXDesktopApp. According to 3CX, their Electron Windows App versions 18.12.407 and 18.12.416 and Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 (shipped in Update 7), includes a security issue, which appears to be related to one of the bundled libraries that 3CX compiled into the Windows Electron App via GIT. 3CX is still researching the matter. 

Seven days later on 29 March 2023, CrowdStrike began observing malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp. CrowdStrike Intelligence has assessed there is suspected nation-state involvement by the threat actor Labyrinth Chollima based on the beacon structure and an encryption key that match those observed in a campaign by Crowdstrike they attributed with high confidence to Labyrinth Chollim. However, Crowdstrike is the only outlet to make an attribution claim and SentinelOne and Sophos are unable to attribute this activity to any known threat activity clusters.

On 30 March 2023, 3CX published a security advisory where they state “this appears to have been a targeted attack from an Advanced Persistent Threat (APT), perhaps even state sponsored, that ran a complex supply chain attack and picked who would be downloading the next stages of their malware. The vast majority of systems, although they had the files dormant, were in fact never infected.” According to the advisory, the issue appears to be one of the bundled libraries that 3CX compiled into the Windows Electron App via GIT and 3CX is still researching the matter. 

According to a Shodan search there are over 243,000 publicly exposed 3CX phone management systems. The results show that a large number of organizations are using phone management products from 3CX.

The issue is now tracked as CVE-2023-29059, which was assigned due to the 3CX DesktopApp through 18.12.416 contains embedded malicious code. According to the CVE description, the issue affects versions 18.12.407 and 18.12.416 of the Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the Electron macOS application.

Attack Details

According to Huntress, SentinelOne, and Trend Micro, the attack chain is as follows:

1. Organizations with 3CXDesktopApp.exe already deployed were updated beginning around 22 March 2023. This update caused Updater.exe to spawn, downloading an MSI package with trojanized updates.
2. Updater.exe invokes the functional, but backdoored ffmpeg.dll, which sideloads d3dcompiler_47.dll, extracting a secondary payload.
3. d3dcompiler_47.dll payload is decrypted and waits for 7 days before reaching out to GitHub (https://github[.]com/IconStorages/images) to download one of 16 .ico files. 
4. These ICO files have Base64 data appended at the end, which is decoded and used to download the final payload, a DLL, which appears to be a previously unknown infostealer, and a command and control URL.

Deepwatch Actions

Using the Threat Intel team’s analysis of open-source reporting, ATI first coordinated with Deepwatch’s Vulnerability Management team to identify existing customers running 3CX Electron Windows App in their environments. Then ATI performed retrospective searches of available process data in non-vulnerability management service customer environments to identify additional customers running 3CX Electron Windows App in their environments. 

These actions provided ATI with a base set of data to search against, which ATI analyzed for known observables and other indicators of compromise. Additionally, ATI has added indicators of compromise to our continuous monitoring platform. Any results from these actions will be thoroughly reviewed and investigated by ATI and any impacted customers notified.

Analyst Comment

The GitHub repository was taken offline on 29 March 2023 which prevents future exploitation of organizations who have not updated yet. However, it is unknown how many organizations downloaded the trojanized update. Additionally, 3CX stated that the C2 URLs have been reported, with the majority taken down.

If 3CX confirms the issue is related to one of the bundled libraries that 3CX used and if other vendors used the same bundled library in their products, the total impact will likely be much wider than initially assessed. Additionally, it is unknown if the threat actors still have access to 3CX’s and potentially other vendors supply chain, which would allow them to trojanize future updates.

At this time, ATI can not confirm Crowdstrike’s “suspected” nation-state involvement by the North Korean based threat actor Labyrinth Chollima. No other outlets have not confirmed this attribution and further analysis is underway that will likely lead to a stronger attribution claim. However, according to Huntress, the ffmpeg.dll binary decrypts the secondary payload with a key that, according to other threat intelligence, is known to be attributed to DPRK threat actors.

Recommendations

3CX recommends organizations uninstall the desktop client for 3CX and encourages organizations to use their Progressive Web App (PWA) instead. 3CX is preparing a new release and an update to the 3CXDesktopApp will be available soon.

Organizations can run the following searches for running software matching “3CX” in your vulnerability management solution. Deepwatch Vulnerability Management Service customers have already received a list of affected assets.

• For Tenable Advanced Asset Search, navigate to Explore Overview > Assets – Installed Software is equal to cpe:/a:3cx:*.
  • Tenable also released the following Plugin IDs:
    • 173712 – 3CX DesktopApp Malware
    • 173677 – 3CX Desktop App Installed (Windows)
    • 173679 – 3CX Desktop App Installed (macOS)
• For Qualys, searches can be performed in VMDR or Asset View/Global Asset View – software.name:’3cx’.

Be On the Lookout (BOLO)

• Presence of “3CXDesktopApp” in process data that may be indicative of usage of compromised software.
• Shellcode injection alerts relating to “3CXDesktopApp.”
• DNS queries or web traffic or file activity matching the known IOCs listed below.
• 3CXDesktopApp.exe spawning rare/anomalous network connections (Sysmon or EDR).

Observables

GitHub repository hosting malicious ICO files (GitHub repository is no longer accessible):

The following are the C2 domains decrypted from the ICO files that were hosted on GitHub:

Trojanized MSI Update Packages

Trojanized MSI Package Contents:

Hash of one malicious ICO file:

Sources

↑