Get in Touch
3CX desktop app compromised in supply-chain attack
Update: 3CX supply chain attack linked to prior supply chain compromise – 20th April 2023
Overview
On 20th April 2023 it was discovered that the 3CX software supply chain attack resulted from a prior Trading Technologies software supply chain attack. The initial 3CX compromise was via a ‘trojanised’ software installer of the X_TRADER trading platform.
The deployment of the X_TRADER installer led to the deployment of a multi-stage modular backdoor, tracked as “VEILEDSIGNAL”, to a 3CX employee’s personal computer. Using VEILEDSIGNAL, the associated threat actors were able to harvest 3CX employees’ credentials and establish persistence on the compromised system.
Further, the threat actors conducted lateral movement within the 3CX environment via the Fast Reverse Proxy tool (frpc.exe), which was renamed to MsMpEng.exe, a known Microsoft Malware Protection Engine executable.
The adversaries were then reported to have compromised the 3CX Windows and macOS build environments and deploy several strains of malware, such as TAXHAUL launcher, COLDCAT downloader, and POOLRAT backdoor via DLL hijacking.
Updated Indicators of Compromise
SHA256 file hashes:
– 480b8c9df70396f44cdca00fd860fdf38ce1d8493ebeed6fe679dd3fd799b7f6
– beb775af5196f30e0ee021790a4978ca7a7ac2a7cf970a5a620ffeb89cc60b2c
– cc36b610705d96dd8a82faf8bce1e1d6197948518318f2332323de3c5d05999d
– 97b95b4a5461f950e712b82783930cb2a152ec0288c00a977983ca7788342df7
– 5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290
– fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405
– e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec
– b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb
– 92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61
SHA1 file hashes:
– 3bda9ca504146ad5558939de9fece0700f57c1c0
– ced671856bbaef2f1878a2469fb44e9be8c20055
– d7ba13662fbfb254acaad7ae10ad51e0bd631933
MD5 file hashes:
– 19dbffec4e359a198daf4ffca1ab9165
– 00a43d64f9b5187a1e1f922b99b09b77
– ef4ab22e565684424b4142b1294f1f4d
Email addresses:
URLs:
– hxxps[://]www[.]3cx[.]com/blog/event-trainings/
– hxxps[://]akamaitechcloudservices[.]com/v2/storage
– hxxps[://]akamaitechcloudservices[.]com/v2/storage
– hxxps[://]azureonlinestorage[.]com/azure/storage
– hxxps[://]msedgepackageinfo[.]com/microsoft-edge
– hxxps[://]glcloudservice[.]com/v1/console
– hxxps[://]pbxsources[.]com/exchange
– hxxps[://]msstorageazure[.]com/window
– hxxps[://]officestoragebox[.]com/api/session
– hxxps[://]visualstudiofactory[.]com/workload
– hxxps[://]azuredeploystore[.]com/cloud/services
– hxxps[://]msstorageboxes[.]com/office
– hxxps[://]officeaddons[.]com/technologies
– hxxps[://]sourceslabs[.]com/downloads
– hxxps[://]zacharryblogs[.]com/feed
– hxxps[://]pbxcloudeservices[.]com/phonesystem
– hxxps[://]pbxphonenetwork[.]com/voip
– hxxps[://]msedgeupdate[.]net/Windows
Threat Group
The supply chain attack has been attributed with high confidence to the threat cluster tracked as “UNC4736”, to North Korean threat actors. There is also a realistic possibility that UNC4736 is linked to APT43’s previous clusters, tracked as “UNC3782” and “UNC4469”, due to the overlaps in their infrastructures and DNS resolutions.
Updated Mitre Methodologies
Reconnaissance Technique:
T1589.001– Gather Victim Identity Information: Credentials
Resource Development:
T1586 – Compromise Accounts
Initial Access Technique:
T1189– Drive-by Compromise
T1190– Exploit Public-Facing Application
Execution Technique:
T1204.002 – User Execution: Malicious File
Defense Evasion:
T1574.002– Hijack Execution Flow: DLL Side-Loading
Collection Technique:
T1005 – Data from Local System
Command and Control Technique:
T1105 – Ingress Tool Transfer
Impact Technique:
T1565 – Data Manipulation
Updated Further Information
Backdoor deployed via 3CX supply-chain attack (3rd April 2023)
Overview
The threat actor group, suspected to be ‘Labyrinth Collima’, that recently compromised 3CX’s VoIP desktop application to distribute information-stealing software to the company’s customers, has also deployed a second-stage backdoor on compromised systems. Investigations have confirmed that the threat actor additionally infected target systems with the modular Gopuram backdoor, malware that North Korea’s Labyrinth Collima group has used in campaigns dating back to 2020.
An updated analysis of the incident has demonstrated that the threat actors may have exploited the Windows vulnerability, tracked as CVE-2013-3900.
Updated Impact
The Gopuram backdoor contains several modules that operators can use to exfiltrate data, interact directly with victim systems, install additional malware, start/stop and delete services. The second-stage payload is dropped by the threat actors for the purposes of cyber espionage. The backdoor implements commands that allow the attackers to interact with the victim’s file system and create processes on the infected machine.
CVE-2013-3900: The WinVerifyTrust function in Microsoft Windows systems does not properly validate PE file digests during Authenticode signature verification. Successful exploitation of this vulnerability allows remote threat actors to execute arbitrary code via a crafted PE file. In the incident reported on, the threat actors have exploited the vulnerability to make it appear that the malicious Dynamic-Link libraries (DLLs) used to drop additional payloads were legitimately signed.
Updated Indicators of Compromise
Gopuram associated file hashes (MD5):
– 9f85a07d4b4abff82ca18d990f062a84
– 96d3bbf4d2cf6bc452b53c67b3f2516a
Gopuram associated file paths:
– C:\Windows\System32\config\TxR\< machine hardware profile GUID >.TxR.0.regtrans-ms
– C:\Windows\system32\catroot2\edb.chk.log
Updated Containment, Mitigations & Remediations
It is strongly recommended that 3CX users uninstall the Electron desktop application from all Windows and MacOS systems and to switch to the progressive web application (PWA) Web Client App. A script for mass uninstalling the application across networks is available on the associated 3CX blog.
To mitigate against the threat of the Gopuram backdoor, it is recommended that the following security practices are followed:
– Ensure that employees are provided basic cyber security hygiene training, as many targeted attacks start with phishing or other social engineering techniques
– Carry out a cyber security audit of networks and remediate any weaknesses discovered in the perimeter or inside the network
– Utilise an effective and monitored endpoint detection and response (EDR) solution, such as Microsoft Defender.
Updated Threat Landscape
The 3CX Phone System has over 12 million daily users and is interacted with by over 600,000 companies worldwide. Moreover, it has been detected that installations of the infected 3CX software are located all over the world, with the highest infection figures observed in Brazil, Germany, Italy and France.
The Gopuram backdoor has been compromised for some time. However, the prevalence of infections notably increased in March 2023, which has since been directly attributed to the 3CX supply chain attack.
From the details available at the time of writing, it is likely that Gopuram is the final payload deployed within the 3CX attack chain. However, this is not absolutely conclusive as it is possible that further details could emerge.
Updated Further Information
Target Industry
3CX has listed customer organisations in the following sectors:
– Automotive
– Food & Beverage
– Hospitality
– Managed Information Technology Service Provider (MSP)
– Manufacturing
Overview
A ‘trojanised’ rendition of the 3CX Voice Over Internet Protocol (VOIP) desktop client has emerged as targeting customers of the company as a part of a supply-chain attack. The attack is triggered when the MSI installer is downloaded from the 3CX website or an update is applied to an already installed desktop application. The company’s client list includes high-profile organisations such as BMW, Coca-Cola, McDonald’s, Honda, NHS, Toyota, Mercedes-Benz, IKEA and Holliday Inn.
The malicious activity involves beaconing to a threat actor-controlled infrastructure, deployment of second-stage payloads, and hands-on-keyboard activity. The most prevalent post-exploitation activity observed at the time of writing is the spawning of an interactive command shell. When the MSI or update is installed, a malicious ffmpeg.dll and d3dcompiler_47.dll Dynamic-link Library (DLL) files are extracted, which are used to perform the next stage of the attack.
Tis is a rapidly developing situation. Updates will be provided if possible.
Impact
This new malware is capable of harvesting target system data and stored credentials from Google Chrome, Microsoft Edge, Brave, and Firefox user profiles.
Vulnerability Detection
Indicators of Compromise (IoCs) have been provided, allowing the relevant threat hunting strategies to be implemented to detect for compromise.
Affected Products
– Windows and macOS versions of the 3CX softphone application.
Containment, Mitigations & Remediations
Due to the emerging nature of this supply-chain attack, it is currently recommended that 3CX software is removed from endpoints, where reasonably possible, until advised by the vendor that future installers and versions are safe to use.
Indicators of Compromise
Associated domains:
– akamaicontainer[.]com
– msedgepackageinfo[.]com
– akamaitechcloudservices[.]com
– msstorageazure[.]com
– azuredeploystore[.]com
– msstorageboxes[.]com
– azureonlinecloud[.]com
– officeaddons[.]com
– azureonlinestorage[.]com
– officestoragebox[.]com
– dunamistrd[.]com
– pbxcloudeservices[.]com
– glcloudservice[.]com
– pbxphonenetwork[.]com
– qwepoi123098[.]com
– zacharryblogs[.]com
– sbmsa[.]wiki
– pbxsources[.]com
– sourceslabs[.]com
– journalide[.]org
– visualstudiofactory[.]com
Associated file hashes (SHA256):
– dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc – Windows
– fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405 – Windows
– 92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61 – macOS
– b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb – macOS
Associated installer file hashes (SHA256):
– aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868 – 3cxdesktopapp-18.12.407.msi
– 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983 – 3cxdesktopapp-18.12.416.msi
– 5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290 – 3CXDesktopApp-18.11.1213.dmg
– e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec – 3cxdesktopapp-latest.dmg
Associated uniform resource identifiers (URI):
– hxxps://www[.]3cx[.]com/blog/event-trainings/
– hxxps://akamaitechcloudservices[.]com/v2/storage
– hxxps://azureonlinestorage[.]com/azure/storage
– hxxps://msedgepackageinfo[.]com/microsoft-edge
– hxxps://glcloudservice[.]com/v1/console
– hxxps://pbxsources[.]com/exchange
– hxxps://msstorageazure[.]com/window
– hxxps://officestoragebox[.]com/api/session
– hxxps://visualstudiofactory[.]com/workload
– hxxps://azuredeploystore[.]com/cloud/services
– hxxps://msstorageboxes[.]com/office
– hxxps://officeaddons[.]com/technologies
– hxxps://sourceslabs[.]com/downloads
– hxxps://zacharryblogs[.]com/feed
– hxxps://pbxcloudeservices[.]com/phonesystem
– hxxps://pbxphonenetwork[.]com/voip
– hxxps://msedgeupdate[.]net/Windows
Associated URL:
– github[.]com/IconStorages/images
Associated email addresses:
– cliego.garcia@proton[.]me
– philip.je@proton[.]me
Threat Landscape
3CX Private Automatic Branch Exchange (PBX) software is an attractive supply-chain target for threat actors. In addition to monitoring communications of the organisation, attackers can modify call routing or broker connections into voice services.
3CX has a significant portion of the unified-communications market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, 3CX systems have become a prime target. Due to the fact that VOIP systems have become an integral aspect of both personal and business affairs, threat actors will continue to exploit vulnerabilities contained within these products in an attempt to extract the sensitive data.
Threat Group
It is possible that the nation state-backed threat actor group tracked as “Labyrinth Collima”, is responsible for the reported attacks. However, at the time of writing, such an attribution is far from conclusive.
Labyrinth Collima operations are known to overlap with other threat actors. The group is considered to be a subset of the APT37/APT38 cyber-criminal gang, a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.
Mitre Methodologies
Tactic:
TA0001 – Initial Access
Initial access technique:
T1195– Supply Chain Compromise
Tactic:
TA0002 – Execution
Execution technique:
T1059 – Command and Scripting Interpreter
Tactic:
TA0006 – Credential Access
Credential access technique:
T1212– Exploitation for Credential Access
Further Information
CrowdStrike Blog
SentinelOne Blog
