On 29th March, 2023 there were reports of malicious activity originating from a signed 3CX desktop application. CrowdStrike’s Falcon Overwatch has claimed to have observed malicious activities from both Windows and macOS binaries.
About 3CX Desktop Application
The product is a softphone application that allows you to make and receive calls on your physical desktop. The application is currently available for all major operating systems including Windows, Linux, and macOS. 3CX claims to have more than 600,000 customers globally hence this campaign can have devastating effects.
The currently known affected versions of the Electron application are:
Observations from Malicious Behavior
- The signed binary makes contact with attacker-controlled infrastructure and deploys a second-stage payload to the victim. There are also cases where hands-on-keyboard activity has been observed, which is a way of keeping a human threat actor in the loop to evade defenses and move vertically or laterally in the infrastructure.
- SentinelOne has identified cases where there is an involvement of a 3rd stage information stealer DLL that was being pulled from a GitHub repository (at the time of writing this, the repository has been taken down).
- There are also claims that this attack involves nation-state threat actor, LABYRINTH CHOLLIMA/ZINC/Lazarus group/Black Artemis, is involved in this sophisticated supply chain attack.
According to the known evidence, we can assume that the active exploitation of the trojanized Electron application started after 3rd March 2023. The repository used to host the multi-stage payload was in use since 8th December 2022. The alerts were flagged as false positives and the support staff from 3CX asked the users to remove EDR solutions as a solution.
The following have been identified as key components of the malicious binary:
- 3CXDesktopApp.exe, the clean loader
- d3dcompiler_47.dll, a DLL with an appended encrypted payload
- ffmpeg.dll, the trojanized malicious loader
The file ffmpeg.dll contains an embedded URL that retrieves a malicious encoded .ico payload. The ICO file has the Base64 payload at the end. That data post-decoding is used to download another stage in some cases. The DLL downloaded seems to be an unknown information stealer meant to interface and exfiltrate saved browser data.
At the time of writing this, some YARA rules can be used for Threat Hunting. All the other YARA rules are mentioned in the reference section.
For SentinelOne, Crowdstrike, and Sophos MDR/EDR users, there are specific OS queries that are mentioned in their advisories (mentioned in the Reference section).
Indicators of Compromise
All the above-mentioned domains have been blocked as of 30th March 2023. We can also observe that these domains have been recently registered. Namecheap is a threat actor favorite because of the BTC payment options provided. Amongst the above-mentioned domains, we were able to find some interesting emails in the WHOIS information.
The repository hosting the information stealer malware since 8th December
- Check for the above-mentioned IOCs for trojanized version of the application
- The official recommendation is to use the Web app/PWA application and not the electron application for the time being. The instructions can be found here.
- Keep an eye on the changing campaign
- #Traffic Light Protocol - Wikipedia
- CrowdStrike’s reddit advisory
- SentinelOne’s advisory on the smooth operator campaign
- Sophos advisory
- 3CX community thread
- 3CX official advisory
- YARA rules for detection
- TTPs of the LABYRINTH CHOLLIMA/LAZARUS group