3CX said it’s working on a software update for its desktop app after multiple cybersecurity vendors sounded the alarm on what appears to be an active supply chain attack that’s using digitally signed and rigged installers of the popular voice and video conferencing software to target downstream customers.
“The trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls ICO files appended with Base64 data from GitHub and ultimately leads to a third-stage infostealer DLL,” SentinelOne researchers said.
The cybersecurity firm is tracking the activity under the name SmoothOperator, stating the threat actor registered a massive attack infrastructure as far back as February 2022.
3CX, the company behind 3CXDesktopApp, claims to have more than 600,000 customers and 12 million users in 190 countries, some of which include well-known names like American Express, BMW, Honda, Ikea, Pepsi, and Toyota, among others.
While the 3CX PBX client is available for multiple platforms, Sophos, citing telemetry data, pointed out that the attacks observed so far are confined to the Windows Electron client of the PBX phone system.
The infection chain, in a nutshell, takes advantage of the DLL side-loading technique to load a rogue DLL (ffmpeg.dll) that’s designed to retrieve an icon file (ICO) payload. The GitHub repository hosting the file has since been taken down.
The information stealer is capable of gathering system information and sensitive data stored in Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox browsers.
Cybersecurity firm CrowdStrike said it suspects the attack to be linked to a North Korean nation-state actor it tracks as Labyrinth Chollima (aka Nickel Academy), a sub-cluster within the notorious Lazarus Group.
“The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity,” CrowdStrike added.
In a forum post, 3CX’s CEO Nick Galea said it’s in the process of issuing a new build over the next few hours, and noted that Android and iOS versions are not impacted. “Unfortunately this happened because of an upstream library we use became infected,” Galea said, without specifying more details.
In the interim, the company is urging its customers to uninstall the app and install it again, or alternatively use the PWA client.