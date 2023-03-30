



Note: This is a work in progress and will be updated as needed.

In late March 2023, security researchers revealed that threat actors specifically abused 3CX’s popular business communication software. The report mentions that a version of the 3CX VoIP (Voice over Internet Protocol) desktop client was employed to target 3CX customers. attack.

3CX posted an update on its forums recommending uninstalling the desktop app and using the Progressive Web App (PWA) client instead. The company also said it was working on updating the desktop app.

Meanwhile, the GitHub page used to stage the attack (raw.githubusercontent[.]com/IconStorages/images/main/) has been removed at the time of writing. Note that the process will terminate if the page cannot be accessed.

3CX App is private automatic branch exchange (PABX) software that provides users with multiple communication features such as video conferencing, live chat, and call management. This app is available for most major operating systems including Windows, macOS, and Linux. Additionally, the client is available as a mobile application for both Android and iOS devices, while a Chrome extension and his PWA version of the client allow users to access the software from their browser.

According to the company’s website, over 600,000 businesses and over 12 million daily users worldwide use 3CX’s VoIP IPBX software.

How do attacks work?

The attack is reportedly a multi-step chain, with the first step involving a compromised version of the 3CX desktop app. Based on initial analysis, the MSI package is a compromised package with a potentially trojanized DLL, as the .exe file has the same name.

The infection chain starts with 3CXDesktopApp.exe loading ffmpeg.dll. ffmpeg.dll then reads and decrypts the encrypted code from d3dcompiler_47.dll. The decrypted code uses the IconStorages GiHub to access an .ico file containing an encrypted command and control (C&C) server that the backdoor connects to in order to retrieve the possible final payload. It looks like a backdoor payload trying to access the page.

As part of our attack routine, we connect to servers listed in the Indications of Compromise (IOC) list at the end of this blog entry.

The final stage appears to have an information-stealing function. This malware can extract system information and hijack both data and stored login credentials from user profiles of Chrome, Edge, Brave, and Firefox web browsers.

At runtime, the MSI package installer drops the following files associated with malicious behavior:

3CXDesktopApp.exe: Regular file feed face hex string exploited to load trojanized DLLs

Some conditions are required for execution. For example, the sleep timestamp depends on: First, check if the manifest file exists and uses the specified date. If the file doesn’t exist or uses the specified date, the timestamp will generate a random number and use formulaand() % 1800000 + current date + 604800. After the date is calculated, the malware continues its routine.

Running 3CXDesktopApp.exe loads ffmpeg.dll, which appears to be a Trojanized or patched DLL. The normal functionality remains, but the malicious functionality is added to read d3dcompiler_47.dll and find the encrypted shellcode after the hex string in the feed face.

