Supply-chain attack on 3CX clients

Cybercriminals are attacking 3CX VoIP telephony software users via trojanized applications.

Supply chain attack on 3CX customers

Various media sources are reporting a mass supply-chain attack targeting 3CX VoIP telephony system users. Unknown attackers have managed to infect 3CX VoIP applications for both Windows and macOS. Now the cybercriminals are attacking their users via a weaponized application signed with a valid 3CX certificate. The list of those users is quite something — consisting of more than 600,000 companies, including well-known brands from all over the world (American Express, BMW, Air France, Toyota, IKEA). A number of researchers have dubbed this malicious attack SmoothOperator.

Apparently, trojans are hiding in all versions of the software that were released after March 3; that is, builds 18.12.407 and 18.12.416 for Windows, and 18.11.1213 and newer for macOS. According to 3CX representatives, the malicious code got into the program because of some unnamed trojanized open-source component that was used by the development team.

The attack via trojanized 3CX software

Citing researchers from various companies, BleepingComputer describes the attack mechanism via a trojanized Windows client as follows:

  • The user either downloads an installation package from the company’s official website and runs it, or receives an update for an already installed program;
  • Once installed, the trojanized program creates several malicious libraries, which are used for the next stage of the attack;
  • The malware then downloads .ico files hosted on GitHub with additional lines of data inside;
  • These lines are then used to download the final malicious payload — the one used to attack end users.

The mechanism for attacking macOS users is somewhat different. You can find its detailed description on the website of the Objective-See non-profit foundation.

What are the hackers after?

The downloaded malware is able to gather information about the system, as well as steal data and save credentials from Chrome, Edge, Brave, and Firefox browsers’ user profiles. In addition, attackers can deploy an interactive command shell, which, theoretically, allows them to do almost anything with the victim’s computer.

Kaspersky experts studied the backdoor used by attackers as a part of final payload. According to their analysis, this backdoor, dubbed Gopuram, was employed mainly in attacks on cryptocurrencies related companies. Experts also suspect that, according to a number of clues, the Lazarus group was behind the attack. Details on the Gopuram backdoor, along with indicators of compromise, can be found in a post on the Securelist blog.

Why is this attack is especially dangerous?

According to the BleepingComputer, the trojanized version of the program is signed with a legitimate 3CX Ltd. certificate issued by Sectigo and timestamped by DigiCert — the same certificate used in earlier versions of the 3CX program.

Moreover, according to Objective-See, the macOS version of the malware isn’t only signed with a valid certificate, but also notarized by Apple! This means that the application is allowed to run on recent versions of macOS.

How to stay safe

The application’s developers recommend urgently uninstalling trojanized versions of the program using the VoIP web client until the update is released.

It’s also wise to conduct a thorough investigation of the incident to make sure that attackers haven’t had time to take over your company’s computers. In general, in order to control what’s happening on the corporate network and to timely detect malicious activity, we recommend using Managed Detection and Response (MDR)-class services.