🚨3CX Desktop App hacked, largest data theft in history?

Over 600k companies and 12M daily users at risk worldwide

Executive Summary

A new supply chain attack dubbed “SmoothOperator” on 3CX desktop client is a major concern for millions of users worldwide, including high-profile companies and organizations such as American Express, Coca-Cola, McDonald’s, BMW, Honda, AirFrance, NHS, Toyota, Mercedes-Benz, IKEA, and HollidayInn. While the trojanized version of 3CX’s desktop client connects to one of the attacker-controlled domains, users should remain vigilant and take necessary precautions, such as updating their security software and being cautious when downloading updates or installing software.

Photo by Bermix Studio

What happened?

3CX, a VoIP IPBX software development company whose 3CX Phone System is used by over 12 million daily users and 600,000 companies worldwide, has recently fallen victim to a supply chain attack. Sophos, SentinelOne, and CrowdStrike have all issued alerts that warn customers of the threat, urging them to take action immediately. The attacker has taken advantage of the company’s desktop client, which is widely used and is downloaded from the company’s website.

According to vx-underground, Sophos and CrowdStrike were among the first to detect the suspicious activity, which involved beaconing to attacker-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity. Sophos’ threat intelligence team also confirmed that the spawning of an interactive command shell was the most common post-exploitation activity observed.

The researchers suspect that the North Korean-backed hacking group Labyrinth Collima is behind this attack, although Sophos’ team cannot verify this attribution with high confidence. Labyrinth Collima activity is known to overlap with other threat actors tracked as Lazarus Group by Kaspersky, Covellite by Dragos, UNC4034 by Mandiant, Zinc by Microsoft, and Nickel Academy by Secureworks. CrowdStrike has an in-depth analytic process when it comes to naming conventions of adversaries.

SmoothOperator software supply chain attack

The supply chain attack, named “SmoothOperator,” starts when the MSI installer is downloaded from 3CX’s website or when an update is pushed to an already installed desktop application. During the update process, a malicious ffmpeg.dll and the d3dcompiler_47.dll DLL files are extracted. Sophos has confirmed that the 3CXDesktopApp.exe executable is not malicious, but the malicious ffmpeg.dll DLL will be sideloaded and used to extract an encrypted payload from d3dcompiler_47.dll and execute it.

The attacker has registered a sprawling set of infrastructure starting as early as February 2022, according to SentinelOne. However, they don’t yet see any obvious connections to existing threat clusters. The trojanized version of 3CX’s desktop client will connect to one of the attacker-controlled domains discovered by CrowdStrike, including officeaddons.com, pbxcloudservices.com, and msstorageboxes.com.

The first-stage malware uses Base64 strings embedded in ICO files to download a final payload to the compromised devices, a previously unknown information-stealing malware downloaded as a DLL. This malware is capable of harvesting system information and stealing data and stored credentials from Chrome, Edge, Brave, and Firefox user profiles.

Vx-undeground has already suggested it to be the “largest data theft in history”.

Here at Kaduu we urge anyone using 3CX Desctop app to check for indicators of compromise, remain vigilant and take necessary precautions, such as update your security software and be cautious when downloading updates or installing software.

If you liked this article, we advise you to read our previous article about the new ChatGPT Chrome extension that steals user accounts. Follow us on Twitter and LinkedIn for more content.

Stay up to date with exposed information online. Kaduu with its cyber threat intelligence service offers an affordable insight into the darknet, social media and deep web.