3CX Application Malvertised
Hackers have compromised 3CX, a popular videoconferencing and business phone management application used by more than 600,000 companies.
Research providers issued multiple warnings during this week on this compromise. It is believed the threat actors behind the breach are associated with a North Korean state-backed threat actor known as Labyrinth Chollima. The hackers are using the compromised 3CX application to launch cyberattacks against users.
The 600,000 companies that use 3CX include major enterprises such as Coca-Cola., McDonald’s, and BMW AG. The software has about 12 million daily users worldwide.
According to multiple blogs, many customers reported that their antivirus software had flagged the application as malicious. The malicious version of the CX2 application was shipped at the start of this month. The malware sends data it steals to remote C2 controlled by threat actors
Both Windows and Mac versions are both affected since the 3CX desktop client’s installer packaged malicious code and customers who have 3CX installed received an update that likewise contains malicious code.
Here, in this case, the malicious installer and its corresponding update are signed. Code signing is a way that allows confirming if the code is developed by them. By this, the system can verify that an application it’s about to install was downloaded from the original source and not a malicious server.
The malicious 3CX application deploys malware on users’ machines through a three-phase process.
- The first phase involves a pair of malicious DLL files that the hackers added to the desktop client.
- Once activated, the two files download more malicious code from a GitHub repository.
- In the third phase, the code downloaded from GitHub installs data-stealing malware.
That malware can collect data about the device on which it’s running, as well as exfiltrate information from applications such as Chrome. It reportedly uses several different tactics to access sensitive files. The malware can activate an interactive command shell, a program used by administrators to change the configuration of a computer and retrieve system data.
Leading security providers like CrowdStrike, SentinelOne, and multiple other antivirus providers automatically block the malicious 3CX client.