3CX CEO suggests state-sponsored hackers behind supply chain malware attack

Black screen with neon blue lines of code written across and a skull shape appears overlayed the code
(Image credit: Shutterstock)

Business communications firm 3CX confirmed the downloader for its voice over IP (VoIP) desktop software has been tampered with and now installs a version that sideloads malware onto a victim's computer

The issue, dubbed 'SmoothOperator', is believed to be a supply chain malware attack carried out by a suspected state-sponsored threat actor, with attacks starting last week, according to user reports.

3CX revealed in a blog post on Thursday that it noticed a “security issue” in its Electron Windows App with Update 7, version numbers 18.12.407 & 18.12.416.

It added that antivirus vendors may have flagged the legitimate 3CXDesktopApp.exe and uninstalled it.

3CX said it was still researching the issue, but believes it originated in one of the bundled libraries it compiled into the Windows Electron App via GIT. The domains contacted by the compromised library have already been reported, with most shut off overnight, said CISO Pierre Jourdan.

“A GitHub repository which listed them has also been shut down, effectively rendering it harmless,” he said.

“Worth mentioning - this appears to have been a targeted attack from an Advanced Persistent Threat, perhaps even state-sponsored, that ran a complex supply chain attack and picked who would be downloading the next stages of their malware,” said Jourdan. “The vast majority of systems, although they had the files dormant, were in fact never infected.”

The company is currently working on a new Windows App that isn’t affected by the issue, and will also issue a new certificate for the app. Jourdan said this will take at least 24 hours.

He also encouraged customers to use its PWA app, which is completely web-based. “The advantage is that it does not require any installation or updating and chrome web security is applied automatically,” he said.

3CX CEO Nick Galea said in a company forum post that the issue was reported to the organisation on the evening of 29 March.

He recommended uninstalling the app and installing it again, and added that if customers are running Windows Defender it will uninstall it automatically. Galea said the company is going to analyse the issue and release a report later on Thursday, but is now only focusing on the update.

Analysis of 3CX's supply chain malware attack

Researchers from cyber security vendors CrowdStrike, Sophos, and SentinelOne published alerts on 29 March detailing that the 3CX desktop app had been compromised.

Sophos said the malware installs via a DLL sideloading scenario "with a remarkable number of components involved".

These include the legitimate 3CX desktop app itself, which continues to operate as normal after installation, a dynamic link library (DLL) with an encrypted payload, and another DLL acting as the trojanised malicious loader.

The trojanised 3CX desktop app is the first stage in a multi-stage attack chain. Icon (ICO) files are then downloaded from a GitHub repository, which dates back to December 2022, and the files have Base64-encoded data appended to them.

According to SentinelOne researchers, this data is then decoded and used to download the next stage of the attack which implements the malware's functionality.

The malware is an information stealer that collects data from the Google Chrome, Microsoft Edge, Brave, and Firefox browsers. The stolen data includes browsing history and other data.


Supply chain as kill chain

Security in the era Zero Trust


Sophos said that the legitimate 3CX app had been abused by threat actors to also communicate with a number of command-and-control servers (C2).

“The software is a digitally signed version of the softphone desktop client for Windows and is packaged with a malicious payload. The most common post-exploitation activity observed to date is the spawning of an interactive command shell,” its report read.

“The attackers have managed to manipulate the application to add an installer which uses DLL sideloading to ultimately retrieve a malicious, encoded payload,” said Matt Gangwer, managed threat response at Sophos.

Sophos had confirmed in its alert that only Windows had been affected by this issue, while CrowdStrike researchers found that both macOS and Windows were affected.

“This is a classic supply chain attack, designed to exploit trust relationships between an organisation and external parties, this includes partnerships with vendors or the use of a third-party software which most businesses are reliant on in some way," said Lotem Finkelstein, director of threat intelligence and research at Check Point.

3CX claims to have more than 600,000 customers and serves companies like American Express, the NHS, Coca-Cola, and McDonald’s.

“We are fully aware of the situation and our whole team is fully focused on finding a solution to this security issue,” a 3CX spokesperson told IT Pro. “We are extensively researching the matter in order to provide a more detailed response today.”

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.