This advisory is for organizations that use 3CXDesktopApp product: Electron Windows/MacOS App. This application is used by businesses to provide VoIP services.
This has not received a CVE or CVSS indicator yet, but this should be considered a critical vulnerability.
Supply Chain Attack 3CXDesktopApp
3CX has notified their clients that the 3CX VoIP Desktop Application has been compromised to allow it to deliver malware via legitimate 3CX update pathways in a supply-chain attack. As of this time there is no patch available and leaving the application active within the environment has the potential to expose organizations to threat actors.
Affected Versions:
Electron Windows App
18.12.407
18.12.416
Electron Mac App
18.11.1213
18.12.402
18.12.407
18.12.416
The signed binary: 3CXDesktopApp.exe, executes an update process which conducts command-and-control (C2) communication to numerous external servers. The updater pulls down trojanized updates, including the backdoored ffmpeg.dll which then downloads and extracts a secondary payload d3dcompiler_47.dll. Current reports are that the final payload goes into a rest state for 7 days before reaching out to GitHub https[:]//raw.[.]githubusercontent[.]com/IconStorages/images/main/icon%d.ico to decrypt C2 URLs and begin communication. Current observed C2 URLs include:
https[:]//akamaicontainer[.]com |
https[:]//akamaitechcloudservices[.]com |
https[:]//azuredeploystore[.]com |
https[:]//azureonlinecloud[.]com |
https[:]//azureonlinestorage[.]com |
https[:]//dunamistrd[.]com |
https[:]//glcloudservice[.]com |
https[:]//journalide[.]org |
https[:]//msedgepackageinfo[.]com |
https[:]//msstorageazure[.]com |
https[:]//msstorageboxes[.]com |
https[:]//officeaddons[.]com |
https[:]//officestoragebox[.]com |
https[:]//pbxcloudeservices[.]com |
https[:]//pbxphonenetwork[.]com |
https[:]//pbxsources[.]com |
https[:]//qwepoi123098[.]com |
https[:]//sbmsa[.]wiki |
https[:]//sourceslabs[.]com |
https[:]//visualstudiofactory[.]com |
https[:]//zacharryblogs[.]com |
https[:]//msedge[.]com/Windows |
https[:]//www[.]3cx[.]com/blog/event-trainings |
It’s important to note that though the GitHub page has been taken down, it’s unknown if this will fully remediate the malware or whether attackers still have other access available to deployments with the introduced vulnerability.
Detections
Windows Defender is detecting this attack chain using the threat name Trojan:Win64/SamScissor.
Multiple AntiVirus packages have been reported to detect this application as malicious.
Hash values for the compromised binaries
3CXDesktopApp.exe:
SHA256: a60a61bf844bc181d4540c9fac53203250a982e7c3ad6153869f01e19cc36203 (v. 18.12.416)
SHA256: 5d99efa36f34aa6b43cd81e77544961c5c8d692c96059fef92c2df2624550734 (v. 18.12.416)
SHA256: 54004dfaa48ca5fa91e3304fb99559a2395301c570026450882d6aad89132a02 (v. 18.12.407)
SHA256: d45674f941be3cca2fbc1af42778043cc18cd86d95a2ecb9e6f0e212ed4c74ae (v. 18.12.407)
3CXDesktopApp MSI Installer:
SHA256: aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868
SHA256: 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983
3CXDesktopApp MacOS:
SHA256: 92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61
SHA256: b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb
SHA256: a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67
3CXDesktopApp MacOS DMG Installer:
SHA256: 5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290
SHA256: e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec
Mitigations:
3CX will be issuing a patch and an updated signing certificate for the Windows App. They do not mention their plans for the MacOS app.
3CX Recommends that clients use the PWA app which is web-based and contains much of the functionality of the electron app and is fully web-based and not subject to the supply-chain attack.
Additional Information:
https://www.3cx.com/blog/news/desktopapp-security-alert/
https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp