3CX supply chain attack: What do we know?

Five days have passed since the supply chain attack targeting 3CX customers gained wider public attention, but the software’s manufacturer is yet to confirm how the Windows and macOS desktop apps (based on the Electron software framework) have been compromised by the attackers.

3CX has called in outside experts

“On March 29th, 3CX received reports from a third party of a malicious actor exploiting a vulnerability in our product. We took immediate steps to investigate the incident, retaining Mandiant, leading global cybersecurity experts,” 3CX CEO Nick Galea stated on Sunday.

“With Mandiant by our side, we’re conducting a full investigation. This includes a thorough security review of our Web Client and PWA App where Mandiant engineers are validating the entire source code of our web app and Electron App for any vulnerabilities.”

Mandiant is also checking the security of the rebuilt Electron Windows App signed with a new certificate.

There has been no mention of the fact that customers started warning 3CX about their EDRs reporting suspicious activity related to the app as far back as March 22.

The malicious apps

Subsequent analyses of the trojanized apps, the uncovered malware delivery infrastructure, and the actual malware have revealed that some of the network infrastructure used in the attack was registered in February 2022, and that the first identified version of the compromised macOS Electron app was spotted in January 2023.

“The impacted 3CX Electron Desktop App was bundled with an infected library file named ffmpeg.dll. This infected library further downloads another encrypted file d3dcompiler_47.dll. This file has functionality to access .ico files hosted on GitHub which contain CnC information. These CnC domains are used to deliver the final payload which allows the attacker to perform malicious activity in the victim’s environment,” Zscaler researchers succinctly explained.

The ffmpeg.dll was not signed, but the d3dcompiler_47.dll was – by Microsoft. According to cybersecurity experts Lawrence Abrams and Will Dormann, the Microsoft signature was not invalidated once the file was modified because the attackers exploited CVE-2013-3900, an old Windows flaw, the available fix for which is optional.

The FFmpeg developers pointed out that they couldn’t have been the source of the infected ffmpeg.dll file, and others have pointed out that a compromise of the Electron SDK would have been noticed because of the glut of apps that use it.

3CX’s Galea said they are trying to find out how the compiled DLL in their product had the trojan inserted in it.

Also, given that the malicious versions of the apps were signed with valid 3CX certificates, it seems likely that the company’s build environment has been compromised. It now remains to be seen what 3CX and Mandiant will discover during their investigation.

How many companies have been compromised in the 3CX supply chain attack?

Volexity researchers have analyzed multiple malicious installers for Windows and macOS downloaded directly from 3CX download servers, and found that the final reconnaissance payload – the ICONICSTEALER – has been deployed widely to Windows users.

“The end result for victims of this campaign was that information-stealing malware was installed on endpoints that installed this update, and for selected victims, an additional arbitrary payload may also have been delivered,” they noted.

Additionally, they found a shellcode sequence in the stealer that “appears to have been only used in the ICONIC loader and the APPLEJEUS malware, which is known to be linked to [the North Korean state-sponsored APT Lazarus Group].

Zscaler “observed infections dating back to February 2023 for both the Windows as well as the MacOS variant of the Trojanized 3CXDesktopApp installers,” and found victims in several verticals (technology, services, manufacturing, etc.).

Trend Micro observed activity that involved the 3CXDesktopApp process attempting to run shellcode at 127 customers of its Cortex XDR solution.

FortiGuard Labs observed connections to known malicious domains associated with this attack, and found that, by and large, victims are located in Europe (Italy, Germany, Austria, Switzerland, the Netherlands, the UK) and the US.

UPDATE April 3, 2023, 04:50 p.m. ET):

Kaspersky researchers comfirmed that another piece of malware – the Gopuram backdoor – had been delivered to some of the victim companies, which are cryptocurrency companies.

“We believe that Gopuram is the main implant and the final payload in the attack chain,” they noted, and shared other findings that point to the Lazarus APT as the attackers.