The 3CXDesktopApp, a softphone application for Windows and Mac computers made by 3CX, appears to have been compromised and is being used in an active supply chain attack. Once compromised, the malware is used to beacon back to the attacker’s infrastructure, drop additional payloads and spawn interactive command shells.
The RocketCyber SOC is actively hunting for indicators of compromise across all customer environments. We are seeing this attack being exploited in the wild. Upon detection of a compromise, a Security Incident will be created (sent via email or PSA ticket) and the SOC will contact the emergency number(s) configured in the customer’s account with details.
You must enable the IOC App to receive this detection – if you do not have this app enabled, please follow the instructions at: https://helpdesk.kaseya.com/hc/en-gb/articles/10293423639313-IOC-Detection-App
Background & Details:
3CX is a VoIP IPBX company that makes phone systems – one component is a softphone application that customers run from their Windows or Mac computer. CrowdStrike and Sentinel One first detected abnormal behavior from the 3CXDesktopApp and the attack leverages 3CX code signing certificates and a trojanized installer which is indicative that the application itself has been compromised.
The 3CXDesktopApp is typically leverages the following paths:
/Applications/3CX Desktop App.app (MacOS)
It is recommended to uninstall the 3CXDesktopApp from machines until further guidance is available from 3CX.
If RocketCyber detects a compromise, isolate the machine and closely monitor the environment. Given this is a new attack and a fluid situation which is evolving – a compromised machine may have additional beacons, footholds and malware installed that is obfuscated. It is best practice to treat the machine as untrusted and wipe the computer to ensure the threat is removed.
Indicators of Compromise
Credit to CrowdStrike for disclosing details to the security community: