A digitally signed and trojanized version of the 3CX Voice Over Internet Protocol (VOIP) desktop client is reportedly being used to target the company’s customers in an ongoing supply chain attack.
3CX is a VoIP IPBX software development company whose 3CX Phone System is used by more than 600,000 companies worldwide and has over 12 million daily users.
The company’s customer list includes a long list of high-profile companies and organizations like American Express, Coca-Cola, McDonald’s, BMW, Honda, AirFrance, NHS, Toyota, Mercedes-Benz, IKEA, and HollidayInn.
According to alerts from security researchers from Sophos and CrowdStrike, the attackers are targeting both Windows and macOS users of the compromised 3CX softphone app.
“The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity,” CrowdStrike’s threat intel team said.
“The most common post-exploitation activity observed to date is the spawning of an interactive command shell,” Sophos added in an advisory issued via its Managed Detection and Response service.
While CrowdStrike suspects a North Korean state-backed hacking group it tracks as Labyrinth Collima is behind this attack, Sophos’ researchers say they “cannot verify this attribution with high confidence.”
Labyrinth Collima activity is known to overlap with other threat actors tracked as Lazarus Group by Kaspersky, Covellite by Dragos, UNC4034 by Mandiant, Zinc by Microsoft, and Nickel Academy by Secureworks.
Tagged as malicious by security software
CrowdStrike says that the trojanized version of 3CX’s desktop client will connect to one of the following attacker-controlled domains:
| akamaicontainer[.]com | msedgepackageinfo[.]com |
| akamaitechcloudservices[.]com | msstorageazure[.]com |
| azuredeploystore[.]com | msstorageboxes[.]com |
| azureonlinecloud[.]com | officeaddons[.]com |
| azureonlinestorage[.]com | officestoragebox[.]com |
| dunamistrd[.]com | pbxcloudeservices[.]com |
| glcloudservice[.]com | pbxphonenetwork[.]com |
| qwepoi123098[.]com | zacharryblogs[.]com |
| sbmsa[.]wiki | pbxsources[.]com |
| sourceslabs[.]com | journalide[.]org |
| visualstudiofactory[.]com |
Some of the domains mentioned by customers that the desktop client attempted to connect to include azureonlinestorage[.]com, msstorageboxes[.]com, and msstorageazure[.]com.
BleepingComputer tested an allegedly trojanized version of the software but was not able to able to trigger any connections to these domains.
However, multiple customers in 3CX’s forums have stated that they have been receiving alerts starting one week ago, on March 22, saying that the VoIP client app was marked malicious by SentinelOne, CrowdStrike, and ESET security software.
Customers report that the security alerts are triggered after installing the 3CXDesktopApp 18.12.407 and 18.12.416 Windows versions or the 18.11.1213 and the latest version on Macs.
One of the trojanized 3CX softphone client samples shared by CrowdStrike was digitally signed over three weeks ago, on March 3, 2023, with a legitimate 3CX Ltd certificate issued by DigiCert.
BleepingComputer confirmed this same certificate was used in older versions of the software.
While SentinelOne detects “penetration framework or shellcode” while analyzing the 3CXDesktopApp.exe binary and ESET tags it as a “Win64/Agent.CFM” trojan, CrowdStrike’s Falcon OverWatch managed threat hunting service warns users to investigate their systems for malicious activity “urgently.”
Even though 3CX’s support team members tagged it as a potential SentinelOne false positive in one of the forum threads filled with customer reports on Wednesday, the company is yet to acknowledge the issues publicly.
A 3CX spokesperson didn’t reply to a request for comment when BleepingComputer reached out earlier today.
