A supply chain attack has targeted the installer for a specific version of the 3CX voice and video desktop client, resulting in the installation of malware after users download and run the affected binary.
The campaign began last week and security software from SentinelOne, CrowdStrike, and other firms began detecting unusual activity from signed 3CX binaries, leading researchers to investigate. What they discovered is an apparent supply chain attack that involves a broad set of domains and other infrastructure and could have serious consequences for the company’s customers.
3CX is a software video and voice calling application that has both desktop and mobile versions. The version affected in this campaign is the desktop app, and researchers say they have seen malicious activity on both Windows and macOS machines. Researchers at CrowdStrike tentatively connected the attack to a group they call Labyrinth Chollima, an APT team that is connected to the notorious North Korean Lazarus Group attackers.
“The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT,” said Pierre Jourdan, CISO of 3CX.
“The domains contacted by this compromised library have already been reported, with the majority taken down overnight. A github repository which listed them has also been shut down, effectively rendering it harmless. Worth mentioning – this appears to have been a targeted attack from an Advanced Persistent Threat, perhaps even state sponsored, that ran a complex supply chain attack and picked who would be downloading the next stages of their malware. The vast majority of systems, although they had the files dormant, were in fact never infected.”
Patrick Wardle, a prolific security researcher who specializes in iOS and macOS, confirmed that he found a macOS version of the 3CX app that also had been compromised.
Researchers at SentinelOne began seeing indications of the malicious activity on March 22 and immediately investigated the anomalies. It quickly became clear that some organizations were trying to install a trojanized version of the 3CX desktop app. The binary in question is 3CXDesktopApp, and researchers at CrowdStrike said it was signed with a valid digital certificate. The affected versions are 18.12.407 and 18.12.416.
“As we actively analyze the malicious installer, we see an interesting multi-stage attack chain unfolding. The 3CXDesktopApp application serves as a shellcode loader with shellcode executed from heap space. The shellcode reflectively loads a DLL, removing the ‘MZ’ at the start,” Juan Andres Guerrero-Saade of SentinalOne said in a blog post late Wednesday.
“These ICO files have Base64 data appended at the end. That data is then decoded and used to download another stage. At this time, the DLL appears to be a previously unknown infostealer meant to interface with browser data, likely in an attempt to enable future operations as the attackers sift through the mass of infected downstream customers. We have issued a takedown request for this repository. The final stage implements infostealer functionality, including gathering system information and browser information from Chrome, Edge, Brave, and Firefox browsers. That includes querying browsing history and data from the Places table for Firefox-based browsers and the History table for Chrome-based browsers.”
SentinelOne has named this campaign SmoothOperator and say that the binaries involved have been signed with a legitimate code-signing certificate, a tactic that helps malicious binaries evade some security mechanisms.
“Our investigation into the threat actor behind this supply chain is ongoing. The threat actor has registered a sprawling set of infrastructure starting as early as February 2022, but we don’t yet see obvious connections to existing threat clusters,” Guerrero-Saade said.
3CX’s Jourdan said that the company is working on a new Windows version of the app and suggested that affected customers use the PWA app rather than the Windows app.
