Security researchers have discovered an ongoing supply chain compromise affecting the 3CXDesktopApp voice and video conferencing Private Automatic Branch Exchange (PABX) enterprise call routing software developed by 3CX, a business communications software company. The company website claims that 3CX has 600,000 customer companies with 12 million daily users. The 3CX PBX client is available for Windows, macOS, and Linux; there are also mobile versions for Android and iOS, as well as a Chrome extension and a Progressive Web App (PWA) browser-based version of the client.
The 3CXDesktopApp application serves as a shellcode loader with shellcode executed from heap space. The shellcode reflectively loads a DLL, removing the “MZ” at the start. That DLL is in turn called via a named export ‘DllGetClassObject.’ SentinelOne researchers found this stage will in turn download icon files from a dedicated GitHub repository, these ICO files have Base64 data appended at the end. That data is then decoded and used to download another stage. At this time, the DLL appears to be a previously unknown info stealer meant to interface with browser data, likely in an attempt to enable future operations as the attackers sift through the mass of infected downstream customers.
The final stage (cad1120d91b812acafef7175f949dd1b09c6c21a) implements info stealer functionality, including gathering system information and browser information from Chrome, Edge, Brave, and Firefox browsers. That includes querying browsing history and data from the Places table for Firefox-based browsers and the History table for Chrome-based browsers.
Analyst Notes
This morning, 3CX published a press release addressing the situation. The apologetic press release explained their Electron Windows App shipped in Update 7, version numbers 18.12.407 & 18.12.416, included a security issue. Anti-Virus vendors have flagged the executable 3CXDesktopApp.exe and in many cases uninstalled it. Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 & 18.12.416 are also affected. 3CX strongly suggests that users deploy their PWA app instead. They claim the PWA app is completely web-based and does 95% of what the electron app does. The advantage is that it does not require any installation or updating, and chrome web security is applied automatically. Additionally, CISA published both SentinelOne and CrowdStrike’s reports on the trojanized application. CISA urges users and organizations to review the reports for more information and hunt for the listed indicators of compromise (IOCs) for potential malicious activity.
Source: https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ https://www.3cx.com/blog/news/desktopapp-security-alert/