Get in Touch
3CX desktop app compromised in supply-chain attack
Update: 3CX supply chain attack linked to prior supply chain compromise – 20th April 2023
On 20th April 2023 it was discovered that the 3CX software supply chain attack resulted from a prior Trading Technologies software supply chain attack. The initial 3CX compromise was via a ‘trojanised’ software installer of the X_TRADER trading platform.
The deployment of the X_TRADER installer led to the deployment of a multi-stage modular backdoor, tracked as “VEILEDSIGNAL”, to a 3CX employee’s personal computer. Using VEILEDSIGNAL, the associated threat actors were able to harvest 3CX employees’ credentials and establish persistence on the compromised system.
Further, the threat actors conducted lateral movement within the 3CX environment via the Fast Reverse Proxy tool (frpc.exe), which was renamed to MsMpEng.exe, a known Microsoft Malware Protection Engine executable.
The adversaries were then reported to have compromised the 3CX Windows and macOS build environments and deploy several strains of malware, such as TAXHAUL launcher, COLDCAT downloader, and POOLRAT backdoor via DLL hijacking.
Updated Indicators of Compromise
SHA256 file hashes:
SHA1 file hashes:
MD5 file hashes:
The supply chain attack has been attributed with high confidence to the threat cluster tracked as “UNC4736”, to North Korean threat actors. There is also a realistic possibility that UNC4736 is linked to APT43’s previous clusters, tracked as “UNC3782” and “UNC4469”, due to the overlaps in their infrastructures and DNS resolutions.
Updated Mitre Methodologies
T1589.001– Gather Victim Identity Information: Credentials
T1586 – Compromise Accounts
Initial Access Technique:
T1189– Drive-by Compromise
T1190– Exploit Public-Facing Application
T1204.002 – User Execution: Malicious File
T1574.002– Hijack Execution Flow: DLL Side-Loading
T1005 – Data from Local System
Command and Control Technique:
T1105 – Ingress Tool Transfer
T1565 – Data Manipulation
Updated Further Information
Backdoor deployed via 3CX supply-chain attack (3rd April 2023)
The threat actor group, suspected to be ‘Labyrinth Collima’, that recently compromised 3CX’s VoIP desktop application to distribute information-stealing software to the company’s customers, has also deployed a second-stage backdoor on compromised systems. Investigations have confirmed that the threat actor additionally infected target systems with the modular Gopuram backdoor, malware that North Korea’s Labyrinth Collima group has used in campaigns dating back to 2020.
An updated analysis of the incident has demonstrated that the threat actors may have exploited the Windows vulnerability, tracked as CVE-2013-3900.
The Gopuram backdoor contains several modules that operators can use to exfiltrate data, interact directly with victim systems, install additional malware, start/stop and delete services. The second-stage payload is dropped by the threat actors for the purposes of cyber espionage. The backdoor implements commands that allow the attackers to interact with the victim’s file system and create processes on the infected machine.
CVE-2013-3900: The WinVerifyTrust function in Microsoft Windows systems does not properly validate PE file digests during Authenticode signature verification. Successful exploitation of this vulnerability allows remote threat actors to execute arbitrary code via a crafted PE file. In the incident reported on, the threat actors have exploited the vulnerability to make it appear that the malicious Dynamic-Link libraries (DLLs) used to drop additional payloads were legitimately signed.
Updated Indicators of Compromise
Gopuram associated file hashes (MD5):
Gopuram associated file paths:
– C:\Windows\System32\config\TxR\< machine hardware profile GUID >.TxR.0.regtrans-ms
Updated Containment, Mitigations & Remediations
It is strongly recommended that 3CX users uninstall the Electron desktop application from all Windows and MacOS systems and to switch to the progressive web application (PWA) Web Client App. A script for mass uninstalling the application across networks is available on the associated 3CX blog.
To mitigate against the threat of the Gopuram backdoor, it is recommended that the following security practices are followed:
– Ensure that employees are provided basic cyber security hygiene training, as many targeted attacks start with phishing or other social engineering techniques
– Carry out a cyber security audit of networks and remediate any weaknesses discovered in the perimeter or inside the network
– Utilise an effective and monitored endpoint detection and response (EDR) solution, such as Microsoft Defender.
Updated Threat Landscape
The 3CX Phone System has over 12 million daily users and is interacted with by over 600,000 companies worldwide. Moreover, it has been detected that installations of the infected 3CX software are located all over the world, with the highest infection figures observed in Brazil, Germany, Italy and France.
The Gopuram backdoor has been compromised for some time. However, the prevalence of infections notably increased in March 2023, which has since been directly attributed to the 3CX supply chain attack.
From the details available at the time of writing, it is likely that Gopuram is the final payload deployed within the 3CX attack chain. However, this is not absolutely conclusive as it is possible that further details could emerge.
Updated Further Information
3CX has listed customer organisations in the following sectors:
– Food & Beverage
– Managed Information Technology Service Provider (MSP)
A ‘trojanised’ rendition of the 3CX Voice Over Internet Protocol (VOIP) desktop client has emerged as targeting customers of the company as a part of a supply-chain attack. The attack is triggered when the MSI installer is downloaded from the 3CX website or an update is applied to an already installed desktop application. The company’s client list includes high-profile organisations such as BMW, Coca-Cola, McDonald’s, Honda, NHS, Toyota, Mercedes-Benz, IKEA and Holliday Inn.
The malicious activity involves beaconing to a threat actor-controlled infrastructure, deployment of second-stage payloads, and hands-on-keyboard activity. The most prevalent post-exploitation activity observed at the time of writing is the spawning of an interactive command shell. When the MSI or update is installed, a malicious ffmpeg.dll and d3dcompiler_47.dll Dynamic-link Library (DLL) files are extracted, which are used to perform the next stage of the attack.
Tis is a rapidly developing situation. Updates will be provided if possible.
This new malware is capable of harvesting target system data and stored credentials from Google Chrome, Microsoft Edge, Brave, and Firefox user profiles.
Indicators of Compromise (IoCs) have been provided, allowing the relevant threat hunting strategies to be implemented to detect for compromise.
– Windows and macOS versions of the 3CX softphone application.
Containment, Mitigations & Remediations
Due to the emerging nature of this supply-chain attack, it is currently recommended that 3CX software is removed from endpoints, where reasonably possible, until advised by the vendor that future installers and versions are safe to use.
Indicators of Compromise
Associated file hashes (SHA256):
– dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc – Windows
– fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405 – Windows
– 92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61 – macOS
– b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb – macOS
Associated installer file hashes (SHA256):
– aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868 – 3cxdesktopapp-18.12.407.msi
– 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983 – 3cxdesktopapp-18.12.416.msi
– 5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290 – 3CXDesktopApp-18.11.1213.dmg
– e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec – 3cxdesktopapp-latest.dmg
Associated uniform resource identifiers (URI):
Associated email addresses:
– [email protected][.]me
– [email protected][.]me
3CX Private Automatic Branch Exchange (PBX) software is an attractive supply-chain target for threat actors. In addition to monitoring communications of the organisation, attackers can modify call routing or broker connections into voice services.
3CX has a significant portion of the unified-communications market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, 3CX systems have become a prime target. Due to the fact that VOIP systems have become an integral aspect of both personal and business affairs, threat actors will continue to exploit vulnerabilities contained within these products in an attempt to extract the sensitive data.
It is possible that the nation state-backed threat actor group tracked as “Labyrinth Collima”, is responsible for the reported attacks. However, at the time of writing, such an attribution is far from conclusive.
Labyrinth Collima operations are known to overlap with other threat actors. The group is considered to be a subset of the APT37/APT38 cyber-criminal gang, a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.
TA0001 – Initial Access
Initial access technique:
T1195– Supply Chain Compromise
TA0002 – Execution
T1059 – Command and Scripting Interpreter
TA0006 – Credential Access
Credential access technique:
T1212– Exploitation for Credential Access