3CX VoIP Software Compromised by North Korean Hackers in DLL-Sideloading Attack

The 3CX Desktop App

The 3CX desktop app is a well-known voice-over-internet-protocol (VOIP) software used by more than 600,000 businesses and over 12 million daily users worldwide, has recently been targeted by a nation-state threat actor suspected to be from North Korea.

3CX Desktop App 1024x575

According to cybersecurity companies Sophos and CrowdStrike, the threat actor has used a DLL sideloading scenario to add a malicious installer to the legitimate 3CX PBX phone system. The malicious version of the 3CX desktop app, affecting Windows and macOS users, communicates with various command-and-control (C&C) servers, deploys second-stage payloads, and can even carry out hands-on-keyboard activity in some cases.

The 3CX Desktop app Vulnerability

The attack is reportedly a multi-stage chain that begins with a compromised version of the 3CX desktop app, which loads ffmpeg.dll and decrypts the backdoor payload that tries to access the IconStorages GitHub page to retrieve the possible final payload. It then contacts the servers noted in the list of indicators of compromise (IOCs) to extract system information and hijack data and stored login credentials from user profiles on Chrome, Edge, Brave, and Firefox web browsers.

In response to the attack, 3CX has recommended uninstalling the desktop app and using the Progressive Web App (PWA) client instead while they work on an update to the desktop app. The GitHub page used for staging the attack has been taken down, but the threat actor’s intentions remain unclear. The attack seems to have been highly targeted, with cybersecurity experts suspecting that the threat actor aimed to collect sensitive data from specific targets.

The compromised 3CX app is a private automatic branch exchange (PABX) software used to manage multiple inbound and outbound lines, including call routing and voicemail features. It offers video conferencing, live chat, and call management functions and is available on most major operating systems, including Windows, macOS, and Linux. Additionally, the client is available as a mobile application for both Android and iOS devices, while a Chrome extension and the PWA version of the client allow users to access the software through their browsers.

The attack highlights the need for businesses to remain vigilant and regularly update their software to protect themselves against such sophisticated cyberattacks. It also serves as a reminder to always follow recommended security practices, such as using multi-factor authentication, regularly backing up data, and monitoring network traffic for any suspicious activity.


About the author

George Slaine

Leave a Comment