Ongoing Active Trojanized 3CX Desktop App Potentially Affecting 600K Users Globally

On 29th March, 2023 there were reports of malicious activity originating from a signed 3CX desktop application. CrowdStrike’s Falcon Overwatch has claimed to have observed malicious activities from both Windows and macOS binaries.

Anirudh Batra
April 3, 2023
Green Alert
Last Update posted on
February 3, 2024
Make sure there's no weak link in your supply chain.

2023 was marked by a rise in supply chain attacks. Ensure robust protection across your software supply chain with CloudSEK SVigil.

Schedule a Demo
Table of Contents
Author(s)
No items found.

Executive Summary

On 29th March, 2023 there were reports of malicious activity originating from a signed 3CX desktop application. CrowdStrike’s Falcon Overwatch has claimed to have observed malicious activities from both Windows and macOS binaries.

About 3CX Desktop Application

The product is a softphone application that allows you to make and receive calls on your physical desktop. The application is currently available for all major operating systems including Windows, Linux, and macOS. 3CX claims to have more than 600,000 customers globally hence this campaign can have devastating effects.

The currently known affected versions of the Electron application are:

  • V18.12.407
  • v18.12.416

Observations from Malicious Behavior

  • The signed binary makes contact with attacker-controlled infrastructure and deploys a second-stage payload to the victim. There are also cases where hands-on-keyboard activity has been observed, which is a way of keeping a human threat actor in the loop to evade defenses and move vertically or laterally in the infrastructure.
  • SentinelOne has identified cases where there is an involvement of a 3rd stage information stealer DLL that was being pulled from a GitHub repository (at the time of writing this, the repository has been taken down).
  • There are also claims that this attack involves nation-state threat actor, LABYRINTH CHOLLIMA/ZINC/Lazarus group/Black Artemis, is involved in this sophisticated supply chain attack.

Timeline

Threat Analysis

According to the known evidence, we can assume that the active exploitation of the trojanized Electron application started after 3rd March 2023. The repository used to host the multi-stage payload was in use since 8th December 2022. The alerts were flagged as false positives and the support staff from 3CX asked the users to remove EDR solutions as a solution.

The following have been identified as key components of the malicious binary:

  • 3CXDesktopApp.exe, the clean loader
  • d3dcompiler_47.dll, a DLL with an appended encrypted payload
  • ffmpeg.dll, the trojanized malicious loader

The file ffmpeg.dll contains an embedded URL that retrieves a malicious encoded .ico payload. The ICO file has the Base64 payload at the end. That data post-decoding is used to download another stage in some cases. The DLL downloaded seems to be an unknown information stealer meant to interface and exfiltrate saved browser data. 

Detection

At the time of writing this, some YARA rules can be used for Threat Hunting. All the other YARA rules are mentioned in the reference section.

One of the rules that can be used to identify malicious binaries authored by Florian Roth

For SentinelOne, Crowdstrike, and Sophos MDR/EDR users, there are specific OS queries that are mentioned in their advisories (mentioned in the Reference section).

Indicators of Compromise

Domain Name

Registered Date

Registrar

akamaicontainer[.]com

14/02/2023

Namecheap

akamaitechcloudservices[.]com

04/01/2023

Namecheap

azuredeploystore[.]com

13/03/2023

Namesilo

azureonlinecloud[.]com

13/02/2023

Namecheap

azureonlinestorage[.]com

05/01/2023

PublicDomainRegistry

msedgepackageinfo[.]com

05/01/2023

Namesilo

msstorageazure[.]com

17/11/2022

Namecheap

msstorageboxes[.]com

09/12/2022

Namecheap

officeaddons[.]com

09/12/2022

PublicDomainRegistry

officestoragebox[.]com

17/11/2022

Namecheap

dunamistrd[.]com

06/12/2022

Namecheap

pbxcloudeservices[.]com

23/12/2022

PublicDomainRegistry

glcloudservice[.]com

06/01/2023

Namecheap

pbxphonenetwork[.]com

25/12/2022

Namesilo

qwepoi123098[.]com

17/11/2022

Namecheap

zacharryblogs[.]com

13/12/2022

Namecheap

sbmsa[.]wiki

09/02/2023

Namecheap

pbxsources[.]com

04/01/2023

Namecheap

sourceslabs[.]com

09/12/2022

eNom, LLC

visualstudiofactory[.]com

17/11/2022

Namecheap

journalide[.]org

08/04/2022

Namecheap

All the above-mentioned domains have been blocked as of 30th March 2023. We can also observe that these domains have been recently registered. Namecheap is a threat actor favorite because of the BTC payment options provided. Amongst the above-mentioned domains, we were able to find some interesting emails in the WHOIS information.

Email

Full Name

[email protected]

Diego Garcia

[email protected]

Simpson Remey

[email protected]

Jackie Caudill

[email protected]

Harold Marable

The repository hosting the information stealer malware since 8th December

  • github[.]com/IconStorages/images

FileName

SHA-256

IconStorages.zip

5c54932fdbb077d73c58ac41a1ad3f6ea5576b3e1f719c8b714b637c9ceb361b

3CXDesktopApp.exe

a60a61bf844bc181d4540c9fac53203250a982e7c3ad6153869f01e19cc36203

3CXDesktopApp.exe

5d99efa36f34aa6b43cd81e77544961c5c8d692c96059fef92c2df2624550734 

3CXDesktopApp.exe

54004dfaa48ca5fa91e3304fb99559a2395301c570026450882d6aad89132a02

3CXDesktopApp.exe

d45674f941be3cca2fbc1af42778043cc18cd86d95a2ecb9e6f0e212ed4c74ae

3CXDesktopApp.msi

aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868

3CXDesktopApp.msi

59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983

3CXDesktopApp

(macOS Application)

92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61

3CXDesktopApp

(macOS Application)

b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb

3CXDesktopApp

(macOS DMG Application)

5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290

3CXDesktopApp

(macOS DMG Application)

e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec

Recommendations

  • Check for the above-mentioned IOCs for trojanized version of the application
  • The official recommendation is to use the Web app/PWA application and not the electron application for the time being. The instructions can be found here.
  • Keep an eye on the changing campaign

References

Appendix

The first known malicious signed binary (3rd March 2023)

Author

Anirudh Batra

Threat Analyst at CloudSEK

Predict Cyber threats against your organization

Related Posts

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Blog Image
August 30, 2023

A New Era of Privacy: Navigating the Digital Personal Data Protection Act with CloudSEK

Let us understand what the Digital Personal Data Protection Act (DPDP) means for businesses and how CloudSEK can help.

CVE-2023-20887 Leads to RCE in VMware Aria Operations for Networks

CVE 2023-20887 was discovered in the VMware Aria Operations with a CVSS score of 9.8 which leads to VMware Aria.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Adversary Intelligence

6

min read

Ongoing Active Trojanized 3CX Desktop App Potentially Affecting 600K Users Globally

On 29th March, 2023 there were reports of malicious activity originating from a signed 3CX desktop application. CrowdStrike’s Falcon Overwatch has claimed to have observed malicious activities from both Windows and macOS binaries.

Authors
Anirudh Batra
Threat Analyst at CloudSEK
Co-Authors
No items found.

Executive Summary

On 29th March, 2023 there were reports of malicious activity originating from a signed 3CX desktop application. CrowdStrike’s Falcon Overwatch has claimed to have observed malicious activities from both Windows and macOS binaries.

About 3CX Desktop Application

The product is a softphone application that allows you to make and receive calls on your physical desktop. The application is currently available for all major operating systems including Windows, Linux, and macOS. 3CX claims to have more than 600,000 customers globally hence this campaign can have devastating effects.

The currently known affected versions of the Electron application are:

  • V18.12.407
  • v18.12.416

Observations from Malicious Behavior

  • The signed binary makes contact with attacker-controlled infrastructure and deploys a second-stage payload to the victim. There are also cases where hands-on-keyboard activity has been observed, which is a way of keeping a human threat actor in the loop to evade defenses and move vertically or laterally in the infrastructure.
  • SentinelOne has identified cases where there is an involvement of a 3rd stage information stealer DLL that was being pulled from a GitHub repository (at the time of writing this, the repository has been taken down).
  • There are also claims that this attack involves nation-state threat actor, LABYRINTH CHOLLIMA/ZINC/Lazarus group/Black Artemis, is involved in this sophisticated supply chain attack.

Timeline

Threat Analysis

According to the known evidence, we can assume that the active exploitation of the trojanized Electron application started after 3rd March 2023. The repository used to host the multi-stage payload was in use since 8th December 2022. The alerts were flagged as false positives and the support staff from 3CX asked the users to remove EDR solutions as a solution.

The following have been identified as key components of the malicious binary:

  • 3CXDesktopApp.exe, the clean loader
  • d3dcompiler_47.dll, a DLL with an appended encrypted payload
  • ffmpeg.dll, the trojanized malicious loader

The file ffmpeg.dll contains an embedded URL that retrieves a malicious encoded .ico payload. The ICO file has the Base64 payload at the end. That data post-decoding is used to download another stage in some cases. The DLL downloaded seems to be an unknown information stealer meant to interface and exfiltrate saved browser data. 

Detection

At the time of writing this, some YARA rules can be used for Threat Hunting. All the other YARA rules are mentioned in the reference section.

One of the rules that can be used to identify malicious binaries authored by Florian Roth

For SentinelOne, Crowdstrike, and Sophos MDR/EDR users, there are specific OS queries that are mentioned in their advisories (mentioned in the Reference section).

Indicators of Compromise

Domain Name

Registered Date

Registrar

akamaicontainer[.]com

14/02/2023

Namecheap

akamaitechcloudservices[.]com

04/01/2023

Namecheap

azuredeploystore[.]com

13/03/2023

Namesilo

azureonlinecloud[.]com

13/02/2023

Namecheap

azureonlinestorage[.]com

05/01/2023

PublicDomainRegistry

msedgepackageinfo[.]com

05/01/2023

Namesilo

msstorageazure[.]com

17/11/2022

Namecheap

msstorageboxes[.]com

09/12/2022

Namecheap

officeaddons[.]com

09/12/2022

PublicDomainRegistry

officestoragebox[.]com

17/11/2022

Namecheap

dunamistrd[.]com

06/12/2022

Namecheap

pbxcloudeservices[.]com

23/12/2022

PublicDomainRegistry

glcloudservice[.]com

06/01/2023

Namecheap

pbxphonenetwork[.]com

25/12/2022

Namesilo

qwepoi123098[.]com

17/11/2022

Namecheap

zacharryblogs[.]com

13/12/2022

Namecheap

sbmsa[.]wiki

09/02/2023

Namecheap

pbxsources[.]com

04/01/2023

Namecheap

sourceslabs[.]com

09/12/2022

eNom, LLC

visualstudiofactory[.]com

17/11/2022

Namecheap

journalide[.]org

08/04/2022

Namecheap

All the above-mentioned domains have been blocked as of 30th March 2023. We can also observe that these domains have been recently registered. Namecheap is a threat actor favorite because of the BTC payment options provided. Amongst the above-mentioned domains, we were able to find some interesting emails in the WHOIS information.

Email

Full Name

[email protected]

Diego Garcia

[email protected]

Simpson Remey

[email protected]

Jackie Caudill

[email protected]

Harold Marable

The repository hosting the information stealer malware since 8th December

  • github[.]com/IconStorages/images

FileName

SHA-256

IconStorages.zip

5c54932fdbb077d73c58ac41a1ad3f6ea5576b3e1f719c8b714b637c9ceb361b

3CXDesktopApp.exe

a60a61bf844bc181d4540c9fac53203250a982e7c3ad6153869f01e19cc36203

3CXDesktopApp.exe

5d99efa36f34aa6b43cd81e77544961c5c8d692c96059fef92c2df2624550734 

3CXDesktopApp.exe

54004dfaa48ca5fa91e3304fb99559a2395301c570026450882d6aad89132a02

3CXDesktopApp.exe

d45674f941be3cca2fbc1af42778043cc18cd86d95a2ecb9e6f0e212ed4c74ae

3CXDesktopApp.msi

aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868

3CXDesktopApp.msi

59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983

3CXDesktopApp

(macOS Application)

92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61

3CXDesktopApp

(macOS Application)

b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb

3CXDesktopApp

(macOS DMG Application)

5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290

3CXDesktopApp

(macOS DMG Application)

e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec

Recommendations

  • Check for the above-mentioned IOCs for trojanized version of the application
  • The official recommendation is to use the Web app/PWA application and not the electron application for the time being. The instructions can be found here.
  • Keep an eye on the changing campaign

References

Appendix

The first known malicious signed binary (3rd March 2023)