Summary:
The 3CXDesktopApp, a softphone application for Windows and Mac computers made by 3CX, appears to have been compromised and is being used in an active supply chain attack. Once compromised, the malware is used to beacon back to the attacker’s infrastructure, drop additional payloads and spawn interactive command shells.
The RocketCyber SOC is actively hunting for indicators of compromise across all customer environments. We are seeing this attack being exploited in the wild. Upon detection of a compromise, a Security Incident will be created (sent via email or PSA ticket) and the SOC will contact the emergency number(s) configured in the customer’s account with details.
You must enable the IOC App to receive this detection – if you do not have this app enabled, please follow the instructions at: https://helpdesk.kaseya.com/hc/en-gb/articles/10293423639313-IOC-Detection-App
Background & Details:
3CX is a VoIP IPBX company that makes phone systems – one component is a softphone application that customers run from their Windows or Mac computer. CrowdStrike and Sentinel One first detected abnormal behavior from the 3CXDesktopApp and the attack leverages 3CX code signing certificates and a trojanized installer which is indicative that the application itself has been compromised.
The 3CXDesktopApp is typically leverages the following paths:
*\ProgramData\3CXPhone (Windows)
*\AppData\Local\Programs\3CXDesktopApp (Windows)
/Applications/3CX Desktop App.app (MacOS)
Recommended Actions:
It is recommended to uninstall the 3CXDesktopApp from machines until further guidance is available from 3CX.
If RocketCyber detects a compromise, isolate the machine and closely monitor the environment. Given this is a new attack and a fluid situation which is evolving – a compromised machine may have additional beacons, footholds and malware installed that is obfuscated. It is best practice to treat the machine as untrusted and wipe the computer to ensure the threat is removed.
Indicators of Compromise
Credit to CrowdStrike for disclosing details to the security community:
Domains:
akamaicontainer[.]com
akamaitechcloudservices[.]com
azuredeploystore[.]com
azureonlinecloud[.]com
azureonlinestorage[.]com
dunamistrd[.]com
glcloudservice[.]com
journalide[.]org
msedgepackageinfo[.]com
msstorageazure[.]com
msstorageboxes[.]com
officeaddons[.]com
officestoragebox[.]com
pbxcloudeservices[.]com
pbxphonenetwork[.]com
pbxsources[.]com
qwepoi123098[.]com
sbmsa[.]wiki
sourceslabs[.]com
visualstudiofactory[.]com
zacharryblogs[.]com
github[.]com/IconStorages/images
Hashes:
SHA-1 20d554a80d759c50d6537dd7097fed84dd258b3e
SHA-1 bf939c9c261d27ee7bb92325cc588624fca75429
SHA-1 cad1120d91b812acafef7175f949dd1b09c6c21a