Finding and Fixing the Trojanized 3CX DesktopApp

One of the most effective ways to deploy malware to a targeted organization is to exploit one of the many trust relationships they have with software vendors. That’s how Russian hackers compromised multiple US government agencies in the infamous SolarWinds campaign. And it’s now why customers of the popular 3CX voice and video calling desktop application should be on high alert.

A suspected North Korean threat group managed to effectively backdoor digitally signed updates for the application and then activate secondary-stage malware to steal data from specific targets. As always, time is of the essence: customer organizations should find and remediate any affected software versions as soon as possible.

What is 3CX?

3CX is a VoIP and PBX service provider which claims to have over 12 million users and more than 600,000 corporate customers in 190 countries worldwide — including big-name brands such as Mercedes-Benz and PwC.

The firm’s 3CX DesktopApp was targeted by threat actors — specifically its Electron Windows App versions 18.12.407 and 18.12.416 and Electron Mac App versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416.

What was the source of the incident?

According to 3CX, the malicious payloads were inserted into bundled libraries compiled via Git. This suggests a compromised open-source repository used by the firm’s developers was to blame. Reports claim that this issue could have been spotted during development, as there were tell-tale signs of tampering.

In any case, the threat was not detected upstream at this early stage, and both the Windows and macOS-affected versions of the app were digitally signed with the official 3CX signing key. The macOS versions were even notarized by Apple, meaning the Cupertino tech giant didn’t detect any malicious activity.

What happened?

Because they were digitally signed, the trojanized apps would slip past most perimeter defenses. The attackers also took other steps to avoid setting off alarms. Compromised installers for both Windows and macOS versions reportedly contained clean, fully functioning versions of the app. The malicious actors then used a DLL sideloading technique to add an extra payload for selected victims. This payload was encrypted to avoid detection and caused an infected machine to contact an attacker-controlled server for second-stage malware.

It was originally thought the final payload was designed to steal critical information from an infected machine’s browser, marking this out as a targeted cyber-espionage campaign. Reports say some of the code found in the malware matches “byte by byte” with that used by the infamous Lazarus group linked to the North Korean regime. However, newer evidence suggests the end goal may have been to drop a modular backdoor, dubbed “Gopuram,” onto a small number of machines. Fewer than 10 cryptocurrency firms have been targeted in this way, at the time of writing. That could suggest a financial motivation for the attacks.

How Tanium can help

3CX has urged all affected customers to:

• Uninstall the 3CX Electron Desktop Application from all Windows or macOS computers
• Continue AV/EDR scanning for potential malware, using the latest available signatures
• Switch to 3CX’s PWA web client app

Tanium can help organizations quickly find impacted versions of the 3CX app and indicators of compromise. There are several ways to do this:

Tanium Interact can identify 3CX Desktop App in a Windows environment using the following question: “Get Installed Applications having Installed Applications:Name contains 3CX Desktop App from all machines with Installed Applications:Name contains 3CX Desktop App.”

Tanium Threat Response can import YARA rules to identify the malware used in this attack. As they are discovered, vulnerable file hashes can also be added to Tanium Threat Response.

---

To learn more about how Tanium can help with the 3CX security issue, check out this Tanium Community post.