Multiple cybersecurity firms are warning about an ongoing supply chain attack involving a trojanized version of 3CXDesktopApp used to spread a malicious payload.
3CX is a software-based private branch exchange (PBX) based on the SIP (Session Initiation Protocol) standard. It enables extensions to make calls via the public switched telephone network (PSTN) or via Voice over Internet Protocol (VoIP) services. The 3CXDesktopApp is available for Windows, macOS, Linux and mobile.
The system is used by more than 600,000 companies worldwide, including high-profile organizations such as Toyota, BMW, Coca-Cola, IKEA, McDonald’s, American Express, Turkish Airlines, NHS, and others.
According to reports from Sophos, CrowdStrike, and SentinelOne, the threat actor has been observed targeting Windows and macOS users of the compromised 3CX app.
“The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity,” CrowdStrike noted.
According to SentinelOne researchers, the trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from GitHub and ultimately leads to the download of a third-stage infostealer DLL.
“The attack revolves around a DLL sideloading scenario, one with a remarkable number of components involved. This is likely to ensure that customers were able to use the 3CX desktop package without noticing anything unusual about the affected package,” Sophos explained.
Both Sophos and CrowdStrike believe that a nation-state actor may be behind this campaign. While Sophos has not identified a possible culprit, CrowdStrike researchers suspect that a North Korean state-sponsored hacker group they track as Labyrinth Collima (aka Lazarus Group, APT38, UNC4034, and Zinc) is responsible for this attack.