A Comprehensive Analysis of the 3CX Attack

Figure 0 – A cool infographic by Thomas Roccia

InfoStealer Deployed in a Massive Supply Chain Attack

An ongoing supply chain attack has been reported, targeting customers of 3CX, a VoIP IPBX software development company. This attack has been attributed to North Korean Threat Actors (TAs). Currently, the 3CX DesktopApp can be accessed on various platforms, including Windows, macOS, Linux, and mobile.

However, reports have indicated that the ongoing activity related to the supply chain attack has been detected on both Windows and macOS operating systems. The attack involves a Trojanized version of the 3CX, a Voice Over Internet Protocol (VOIP) desktop client, which has been digitally signed. 3CX’s Phone System is utilized by over 600,000 companies globally and has over 12 million daily users.

The highlights of the incident are as follows:

• On March 29, a significant number of EDR providers and antivirus solutions began to identify and signal a warning for the legitimate 3CXDesktopApp.exe binary, which was signed.
• This binary had initiated an update procedure that ultimately led to malicious activity and communication with Command-and-Control servers.
• The 3CX download that was accessible on the official public website was infected with malware. Systems that had already been installed would undergo updates that would ultimately result in the download of this malware.
• The attack involves a multi-stage process that starts with the 3CX desktop application.
• The process of retrieving malicious payloads from GitHub involves a delay of 7 days before the download takes place. This delay could be an attempt to evade detection by security systems monitoring suspicious activities.
• As per reports, the last stage of the attack involves stealing information. This malware can gather system data and take control of data and login credentials stored in user profiles on various web browsers, including Chrome, Edge, Brave, and Firefox.
• Both the Windows and macOS installers for 3CX have been impacted.
• As per researchers, the evidence from GitHub indicates that the infrastructure utilized by the Windows variant was activated on December 7, 2022.
• Additionally, the domains and web infrastructure utilized in the attacks were registered as early as November 2022.

The 3CX Phone Management System can be implemented on-premises. Upon further investigation, we found that over 240,000 publicly exposed instances of this application.

The figure below shows the Shodan search results.

Figure 1 – Exposed Instances

We also came across a Reddit post where a user reported suspicious activity that occurred after updating the 3CX desktop on March 24, 2023. According to the user, the 3cxdesktopapp.exe program accessed browser caches, as revealed by EDR file history data.

Figure 2 – Reddit Post

According to 3CX, the recent attack was a result of infected bundled libraries that were compiled into the Windows Electron App through GIT. The vendor has also stated, “Electron Windows App shipped in Update 7, version numbers 18.12.407 & 18.12.416, includes a security issue. Anti-Virus vendors have flagged the executable 3CXDesktopApp.exe and in many cases uninstalled it. Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 & 18.12.416 are also affected.”

The .msi file, when executed, drops two malicious files – “ffmpeg.dll” and “d3dcompiler_47.dll” – in the location C:\Users[user_name]\AppData\Local\Programs\3CXDesktopApp\app.

The infection begins when the benign file “3CXDesktopApp.exe” loads “ffmpeg.dll”. Then, “ffmpeg.dll” decrypts the encrypted code from “d3dcompiler_47.dll”, which seems to be a shellcode.

This shellcode loads another DLL file that tries to access the IconStorages GitHub page to find an .ico file containing the encrypted Command-and-Control (C&C) server. After locating the C&C server, the backdoor establishes a connection to retrieve the potential final payload.

The figure below shows the infection flow.

Figure 3 – Infection chain

Technical Analysis

The MSI package installer that has been compromised has a digital signature, and its appearance resembles that of a legitimate file, as shown below.

Figure 4 – Digitally signed MSI installer

Upon installation, the MSI package installer drops files such as “3CXDesktopApp.exe”, “ffmpeg.dll”, and “d3dcompiler_47.dll” in the %LocalAppData% directory of the system.

• %LocalAppData%\Programs\3CXDesktopApp\app\

These files are associated with malicious behavior and are accompanied by other supporting files.

The figure below displays the directory where the “3CXDesktopApp” application has been installed.

Figure 5 – 3CXDesktop installation folder

After installation, the “3CXDesktopApp.exe” file is executed, which is usually benign but can be utilized to load the malicious DLL, as shown below.

Figure 6 – 3CXDesktop.exe loading ffmpeg.dll file

The figure below illustrates the process tree of the “3CXDesktopApp” application.

Figure 7 – Process tree

The “3CXDesktopApp.exe” loads the “ffmpeg.dll” file, which is a malicious DLL that has been specifically designed to read, load, and execute harmful shellcode from the “d3dcompiler_47.dll” file.

When executed, the “ffmpeg.dll” creates a new event, “AVMonitorRefreshEvent“, identifies the current file path, and searches for the next file in the sequence, which is “d3dcompiler_47.dll”. Once identified, the “ffmpeg.dll” loads the “d3dcompiler_47.dll” file into memory, as illustrated in the assembly code shown below.

Figure 8 – ffmpeg.dll file is loading d3dcompiler_47.dll

Although the loaded “d3dcompiler_47.dll” is signed by Microsoft, it has an encrypted payload embedded within it. The “ffmpeg.dll” file now identifies the encrypted payload indicated by a particular marker, ‘0xCEFAEDFE’, as shown below.

Figure 9 – Identifying encrypted payload in “d3dcompiler_47.dll”

Once the encrypted payload has been identified, the “ffmpeg.dll” proceeds to decrypt the RC4 stream using the key “3jB(2bsG#@c7“. This decryption process results in a shellcode which is then executed by the DLL file.

The figure below shows the RC4 loop and decrypted shellcode function.

Figure 10 – RC4 loop and decrypted shellcode

After decryption, the “ffmpeg.dll” file employs the VirtualProtect() function to alter the memory access permissions of the shellcode. Once the permissions have been changed, the malware proceeds to execute the payload.

An embedded DLL file is present within the decrypted shellcode, as shown in the below figure, which appears to be functioning as a loader for another PE file.

Figure 11 – Embedded DLL file inside Shellcode

After being loaded and executed, the embedded DLL file in the shellcode initiates a sleep state of 7 days before trying to establish communication with Command and Control (C&C) servers. Subsequently, the DLL will attempt to access a GitHub repository that contains an .ICO file.

Figure 12 – Hardcoded GitHub link to download the .ICO file

This ICO file comprises the encrypted C&C strings, which are encoded using Base64 and encrypted with AES & GCM encryption. The Base64 contents are located at the end of the ICO image file, as shown below.

Figure 13 – Base64-encoded string at the end of ICO file

Upon execution, the DLL file decrypts the C&C URLs from the ICO files for downloading additional payloads from the remote server. To obtain distinct C&C URLs, the malware randomly selects an ICO file from a GitHub repository. Unfortunately, we were unable to verify the specific characteristics of these payloads as the corresponding GitHub repository was taken down prior to this analysis.

Researchers discovered that the final stage of malware is a stealer, which can extract system information and steal sensitive information from popular web browsers, such as Chrome, Edge, Brave, and Firefox.

Conclusion

The potential damage caused by the 3CXDesktopApp supply chain attack is significant, including the theft of sensitive user data. Organizations affected by this attack should immediately take steps to prevent it from causing widespread harm. The current investigation suggests that the threat actor behind this attack is skilled and persistent.

The consequences of such an attack, such as financial loss, reputational impact, and the loss of customer trust, are severe. It is crucial that organizations remain vigilant and take proactive measures to secure their supply chains to prevent similar attacks in the future.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

• Thoroughly investigate all systems to determine the scope and extent of the attack, including identifying all affected systems and data.
• Conduct regular security audits of your supply chain to ensure that all third-party software and components are trustworthy and secure.
• Monitor your network regularly for any suspicious activity or behavior indicating a security breach, such as unauthorized access attempts or data exfiltration.
• Stay up-to-date with the latest threat intelligence and security news to stay informed about emerging threats and vulnerabilities. This will help to mitigate risks proactively and respond quickly in the event of an attack.
• Using a reputed antivirus and internet security software package is recommended on connected devices, including PCs, laptops, and mobile devices.
• Block URLs that could be leveraged to spread malware.

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)

Yara Rules

• https://github.com/volexity/threat-intel/blob/main/2023/2023-03-30%203CX/indicators/rules.yar
• signature-base/gen_mal_3cx_compromise_mar23.yar at master · Neo23x0/signature-base · GitHub

Reference:

3CX DesktopApp Security Alert

We regret to inform our partners and customers that our electron windows app shipped in Update 7, version numbers 18.12.407 & 18.12.416, includes a security issue. Anti Virus vendors have flagged the executable 3CXDesktopApp.exe and in many cases uninstalled it. The issue appears to be one of the bundled libraries that we compiled into the Windows electron app via GIT. We’re still

www.3cx.com

SmoothOperator | Ongoing Campaign Trojanizes 3CX Software in Software Supply Chain Attack

Trojanized malicious installers for enterprise PBX software kick off a multi-stage attack chain designed to deliver infostealer malware at scale.

www.sentinelone.com

Information on Attacks Involving 3CX Desktop App

In late March 2023, security researchers revealed that threat actors were actively abusing a popular business communication software from 3CX.

www.trendmicro.com