On Wednesday, cyber security threat intelligence analysts uncovered a supply chain attack targeting the communications software provider 3CX and the company’s customers. 3CX is a VoIP IPBX software development firm whose 3CX phone system is used by more than 600,000 enterprises around the world, with 12 million daily users.

The company’s client list includes organizations across the automotive, food and beverage, hospitality, manufacturing and managed information technology service provider (MSP) sectors. Customers have been notified and encouraged to immediately start looking for signs of compromise.

The attackers’ tactics appear similar to those used against SolarWinds last year. Regarding the 3CX attack, “This is a classic supply chain attack, designed to exploit trust relationships between an organization and external parties; this includes partnerships with vendors or the use of a third-party software which most businesses are reliant on in some way,” said Lotem Finkelstein, director of threat intelligence and research at Check Point.

“This incident is a reminder of just how critical it is that we do our due diligence in terms of scrutinizing who we conduct business with,” he continued.

3CX cyber attack insights

Researchers initially observed a spike in behavioral detections of the 3CXDesktopApp, preventing trojanized installers from running and leading to immediate default quarantine.  

The trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from GitHub, ultimately leading to a third stage infostealer DLL…

“The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and in a small number of cases, hands-on-keyboard activity,” reported a team of security researchers.

Alerts from security researchers indicate that attackers are targeting both Windows and macOS users of the compromised 3CX app.

What is the 3CXDesktopApp? 

The affected application is a business tool that was built to keep teams connected without tethering them to the office environment. It is commonly used by the hybrid or remote workforce for team and customer calls. The application can record communications, facilitate video conferencing, enable voicemail checking and more.

Cyber attack culprits

At the moment, researchers believe that a North Korean state-backed hacking group known as Labyrinth Collima may be behind the attack, although this attribution cannot be verified.

Technical information

The supply chain attack relies on what is known as DLL side-loading. This means that attackers used a signed executable (MSI package) to load a malicious DLL called ffmpeg.dll. This DLL has been modified to read encrypted data from another DLL called d3dcomplier_47.dll.

The attackers have stored an encoded list of URLs on a specific GitHub archive. Once the d3dcomplier_47.dll pulls the list, it uses it to download and execute the final payload from one of the URLs.

The important point about communication with GitHub is that the delay of one week is set in the code before the request to GitHub is made. After this step is accomplished, the final payload is downloaded from one of the URLs and executed…

Further details

As soon as the trojanized version of the 3CXDesktopApp was reported, all relevant protections were propagated through all of Check Point’s products. If you’re a 3CX client and also a Check Point customer, you’re protected (with no patching needed).

For further technical insights, please see this Check Point blog. Want to stay up-to-date with trends in technology? Check out the CyberTalk.org newsletter! Sign up today to receive top-notch news articles, best practices and expert analyses; delivered straight to your inbox.