Trustwave Action Response: Supply Chain Attack Using 3CX PABX Software

Overview

On March 29, a massive supply chain compromise in 3CX software resulted in malware being installed globally across multiple industries. It is similar to the other high-profile supply chain attacks like SolarWinds in that rather than targeting a single organization, the criminals target a popular service or software provided to many large organizations. With one single compromise of the supplier, dozens and potentially hundreds of organizations may fall in turn.

Trustwave is diligently monitoring the situation for exposure and associated attacks and will provide updates here as we have them.

In this case, the supplier is 3CX, a software company that makes a very popular VOIP software phone system. These 3CX software phones are very popular and by 3CX’s own count they service over 600,000 companies globally and more than 12 million users daily. Their client list contains dozens of highly recognizable corporate entities.

Affected Versions

The trojanized binary affects both Electron Windows App (versions 18.12.407 & 18.12.416) as well as Electron Mac App (versions 18.11.1213, 18.12.402, 18.12.407 & 18.12.416). Users that either installed an update (Update 7) or installed a fresh instance of these versions may be affected. As of March 30, Shodan shows close to a quarter of a million publicly exposed 3CX management systems.

Figure 1: Shodan results for publicly exposed 3CX management systems

The full attack results in an Infostealer strain of malware on the victim system via a trojanized DLL.

Attack Chain

Figure 2: 3CX Desktop App infection flow on Windows based system

Upon installing either the full software (via MSI) or the update (Update 7), the software will load ffmpeg.dll which, in turn, will sideload d3dcompiler_47.dll. ffmpeg.dll is then used to extract and decrypt the second stage malware from d3dcompiler_47.dll. That second stage malware is encrypted using RC4 with a static key of "3jB(2bsG#@c7", which many organizations have pointed to as a common static key used in other malware attributed to North Korean (DPRK) state sponsored threat actors.

The second stage malware will then wait seven days before attempting to download one of sixteen Windows icon files (.ICO) from a public GitHub repository (already taken down). These fully functional icon files have a base64 string appended to the end of the file which provides the malware with the URI for its C2 server. At least one of the icons was originally uploaded to GitHub on 7.Dec.2022. The macOS version does not use GitHub to retrieve its C2 server. Instead, a list of C2 servers is stored in the file encoded with a single byte XOR key.

After connecting to the C2 server defined in the .ICO file, the final malware stage will be downloaded to the victim system. This final stage is a novel, previously unseen Infostealer. The Infostealer grabs standard system info and browsing history from Chrome, Edge, Brave, and Firefox browsers. 

3CX Scanning Activity

While probably unrelated to this supply chain attack, On March 23rd and 25th, we detected suspicious scanning activity on our honeypot instances based in the United States. Scans were aimed at CVE-2022-28005, a vulnerability for 3CX Phone System Management Console. The vulnerability allows an unauthorized user to read arbitrary files on the server, leading to cleartext credential disclosure. A successfully authenticated attacker can then upload a file that overwrites a 3CX service binary, leading to Remote Code Execution.

Remediation

3CX is currently working on an update to patch the malicious code. In the meantime, 3CX recommends that users uninstall any current version and switch to the unaffected 3CX Progressive Web App (PWA) version of its software.

Attribution

Several organizations attribute this attack to North Korea (DPRK), specifically Lazarus or a sub-organization of that group. Trustwave has not confirmed any attribution at this time.

IOCs

Windows Hashes

3CXDesktopapp-18.12.407.msi

3CXDesktopApp.exe (v18.12.407)

3CXDesktopApp.exe (v18.12.407) Additional Hashes

3CXDesktopApp-18.12.416.msi

3CXDesktopApp.exe (v18.12.416)

3CXDesktopApp.exe (v18.12.416) Additional Hashes

 ffmpeg.dll

 d3dcompiler_47.dll

 Final stage Infostealer malware

MacOS Hashes

3CXDesktopApp-18.11.1213.dmg

3CXDesktopApp.app (v18.11.1213)

 3CXDesktopapp-latest.dmg (v18.12.416)

 3CXDesktopApp.app (v18.12.416)

 libffmpeg.dylib

C2 Domains

(NOTE: These Domains have been taken down, but existing infected systems may still try to reach out to these hosts)

C2 URLs

References

3CX Alert: https://www.3cx.com/blog/news/desktopapp-security-alert/

3CX Remediation: https://www.3cx.com/blog/news/desktopapp-security-alert-updates/