In late March 2023, PC Matic was alerted to malicious activity coming from 3CXDesktopApp, a phone system software created by business communication software developer 3CX.
What is 3CXDesktopApp?
3CXDesktopApp is a a Voice over Internet Protocol (VoIP) desktop client created by business communication software developer 3CX. First published in 2006, 3CX was one of the first VoIP clients used in Microsoft Windows environments. Since then, 3CX now works in both Windows and MacOS environments, and has a separate client for desktop and mobile.
How did 3CXDesktopApp become compromised?
Initial reports revealed a trojanized version of 3CXDesktopApp coming from the digitally signed, but compromised, 3CXDesktopApp client. According to Pierre Jourdan, CISO of 3CX, “the issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT.” Simply put, the trojan was directly injected into the 3CXDesktopApp github repository code base, compromising the entire library. The 3CXDesktopApp installer essentially became a trigger for a multi-stage attack chain that uses shellcode to load 2 compromised DLL second-stage payloads that collect system and browser information, commonly referred to as an infostealer. It does not appear that the main executable, 3cxdesktopapp.exe, was compromised.
Who is responsible for the supply chain attack?
While the investigation is still continuing, most indications currently point towards Labyrinth Chollima, a state-sponsored hacker group connected to North Korean-backed Lazarus Group. Labyrinth Chollima and Lazarus Group have a long history of executing similar complex supply chain attacks.
Who is affected by the 3CXDesktopApp compromise?
3CXDesktopApp is used by more than 12 million daily users across 600,000 companies around the world, including many big names like American Express, Coca-Cola, McDonald’s, BMW, Honda, Air France, Toyota, Mercedes-Benz, IKEA, and more. While the compromise mostly affected Windows and Mac users who ran the 3CXDesktopApp installer, the full extent of the breach is still being analyzed. 3CX users utilizing the PWA web-based app were not affected as the malicious files were only found with the desktop application. Most mobile devices, including iOS and Android were not affected.
How does the 3CXDesktopApp compromise affect PC Matic users?
PC Matic users should not be affected by the 3CXDesktopApp compromise. PC Matic’s software utilizes a default deny strategy called application allowlisting, meaning any known-bad or unknown files are not able to execute. During the early stages of the attack, it was possible for the 3CXDesktopApp to execute because the main .exe file was not compromised. However, the 2 compromised DLLs were not able to execute. While 3CXDesktopApp was likely not functional because of the missing DLLs, the malware was not able to execute and infect devices. Directly following the attack, all software coming from 3CX was updated to a known-bad status to ensure further attacks would not occur. Since then, 3CX has assured the compromised files have been removed. As an additional precaution, we have temporarily updated all 3CX software to unknown in the Global Allowlist to guarantee safety by default, while still enabling businesses to allow 3CX locally if the software is crucial for business operation. Do so with caution, as the attack is still under investigation. The 2 malicious DLLs remain as known-bad and will not be able to execute should any future attacks occur.
How does the 3CXDesktopApp compromise affect users who do not have PC Matic?
If you are utilizing another default deny solution, you will most likely be unaffected as well, but you should verify that the 2 malicious DLLs are not being executed with the installer. PC Matic’s Malware Research team analyzes threats and updates the global allowlist in real-time, while other default-deny solutions rely on a traditional manual whitelisting approach. If 3CXDesktopApp was not on your whitelist before the compromise, you should be safe. If it was on your whitelist before the compromise, and it was not proactively removed, you will likely be affected. Furthermore, if you are not using a default deny solution, you will want to verify that the installer did not run. Specific EDR solutions like SentinelOne and CrowdStrike proactively caught and eliminated the threat, but most antivirus solutions likely did not catch the malicious DLLs before execution, leaving you vulnerable to the attack.
How can I stay protected against future attacks?
The only way to guarantee protection against threat actors is by using cybersecurity software that utilizes a default deny approach for your endpoints. Application allowlisting software is specifically built to prevent unknown or known-bad files from executing, ensuring that potentially malicious files don’t get the chance to infect your devices or network. In this case, even though the main executable still had a legitimate, signed digital signature, the 2 malicious DLLs were not known and therefore would not have executed. You should also pay attention to indicators of compromise, such as regular crashing, sudden slow performance due to increased resource usage, or spammy popups.