Preventing and Detecting Attacks Involving 3CX Desktop App
Note: This is a developing story and will be updated as needed.
In late March 2023, security researchers revealed that threat actors abused a popular business communication software from 3CX — in particular, the reports mention that a version of the 3CX VoIP (Voice over Internet Protocol) desktop client was being employed to target 3CX’s customers as part of an attack.
On its forums, 3CX has posted an update that recommends uninstalling the desktop app and using the Progressive Web App (PWA) client instead. The company also mentioned that they are working on an update to the desktop app.
In addition to 3CX’s recommendations, Trend Micro solutions can help provide protection against potential exploits. Trend Micro Web Reputation Services (WRS) Protection blocks several domains (listed at the end of the article) identified as malicious command-and-control (C&C) points. Known trojanized versions of the application are being detected as Trojan.Win64.DEEFFACE.A. by the Trend Micro Smart Scan Pattern (cloud-based) TBL 21474.300.40 for endpoint, servers, mail, and gateway.
Additional guidance for Trend Micro customers including help with protection and detection can be found on our support page.
Meanwhile, the GitHub page used for staging the attack (raw.githubusercontent[.]com/IconStorages/images/main/) has been taken down as of the time of writing. Note that the process exits when the page is inaccessible.
The 3CX app is a private automatic branch exchange (PABX) software that provides several communication functions for its users, including video conferencing, live chat, and call management. The app is available on most major operating systems, including Windows, macOS, and Linux. Additionally, the client is available as a mobile application for both Android and iOS devices, while a Chrome extension and the PWA version of the client allow users to access the software through their browsers.
The issue was said to be limited to the Electron (non-web versions) of their Windows package (versions 18.12.407 and 18.12.416) and macOS clients (versions 18.11.1213, 18.12.402, 18.12.407 and 18.12.416).
According to the company’s website, more than 600,000 businesses and over 12 million daily users around the world use 3CX’s VoIP IPBX software.
How does the attack work?
The attack is reportedly a multi-stage chain in which the initial step involves a compromised version of the 3CX desktop app. Based on initial analysis, the MSI package (detected by Trend Micro as Trojan.Win64.DEEFFACE.A and Trojan.Win64.DEEFFACE.SMA) is the one that is compromised with possible trojanized DLLs, since the .exe file has the same name.
The infection chain begins with 3CXDesktopApp.exe loading ffmpeg.dll (detected as Trojan.Win64.DEEFFACE.A andTrojan.Win64.DEEFFACE.SMA). Next, ffmpeg.dll reads and decrypts the encrypted code from d3dcompiler_47.dll (detected as Trojan.Win64.DEEFFACE.A and Trojan.Wind64.DEEFACE.SMD3D). The decrypted code seems to be the backdoor payload that tries to access the IconStorages GiHub page to access an ICO file (detected as Trojan.Win32.DEEFFACE.ICO) containing the encrypted C&C server that the backdoor connects to in order to retrieve the possible final payload.
Read More HERE
