3CXDesktopApp Supply Chain Attack Detection: Active Intrusion Campaign Targeting Millions of 3CX Customers

Cybersecurity experts have uncovered an ongoing adversary campaign exploiting 3CXDesktopApp, a software application for business communication used by 12 million customers worldwide. According to the reports, threat actors gain initial access to the compromised environment, deploy payloads, and then attempt to drop info-stealing malware capable of hijacking login credentials at the final attack stage.

Detecting Potential 3CX 3CXDesktopApp Compromise

To enable organizations to timely spot the attack linked to 3CXDesktopApp, SOC Prime Platform offers a batch of Sigma rules, including open-source ones available for free. Hit the Explore Detections button below and drill down to the detection content set accompanied by the relevant cyber threat context, including MITRE ATT&CK® references, threat intelligence, executable binaries, and mitigations for streamlined threat research.

Additionally, the SOC Prime Team created a free IOC pack for Uncoder to help security practitioners seamlessly generate custom IOC-backed queries tailored to the SIEM, EDR, or XDR platform in use and streamline the investigation of possible incidents. Press the Get IOC Pack button and instantly drill down to the collection of IOCs ready to run in Uncoder.

Explore DetectionsGet IOC Pack

3CXDesktopApp Supply Chain Attack Analysis

At the turn of April 2023, a novel intrusion campaign targeting 3CX customers came to the spotlight in the cyber threat arena. Attackers set their eyes on a popular 3CXDesktopApp software, which has been trojanized and exploited in a supply chain attack exposing millions of global users to a serious threat.

On March 30, CISA issued an alert detailing the ongoing attack against 3CX software and its users. To raise cybersecurity awareness, CISA has urged global organizations to check out the corresponding reports from security vendors, including CrowdStrike and SentinelOne, as well as the latest 3CX DesktopApp security alert to gain more insights into the recently observed adversary activity and timely identify the potential intrusion. The latter alert from 3CX notified the company’s customers and partners of the security flaw related to the updated Electron Windows App v7 affecting Windows and macOS customers. 

3CX suggests that the adversary activity might be a targeted multi-stage attack launched by a nation-backed APT group. CrowdStrike Intelligence team assumes that the campaign can be attributed to the North Korean LABYRINTH CHOLLIMA hacking collective, which might be considered a subset of the infamous Lazarus Group.

In addition, 3CX has informed the customers about the ongoing work on the novel Windows App version with a new certificate. 3CX recommends currently applying the alternative web-based PWA app, which doesn’t need any installation or updates and leverages Chrome Web Security for threat protection.

The infection chain is triggered by installing an MSI file on Windows and a DMG file on macOS app versions. On Windows, the MSI installer further loads and runs a malicious DLL file aimed to further download an icon file within a random sleep period from one to four weeks.

At the final attack stage, the compromised system can be further infected with an infostealer via DLL side-loading, which, according to SentinelOne researchers, can steal data and login creds from popular web browsers.

With the 3CXDesktopApp ongoing attack posing millions of global 3CXDesktopApp users at risk of compromise, cyber defenders are looking for reliable and feasible ways to timely respond to similar threats. By leveraging SOC Prime’s Uncoder AI, which relies on the collective intelligence and the power of AI, security teams can instantly reach relevant IOCs and convert them to performance-optimized hunting queries ready to run in their SIEM or EDR environment.