What You Need to Know About the 3CX Supply Chain Attack
What you need to know about the 3cx supply chain attack
  • Table of contents

The author

user_image
Shmuel Gihon
Share on LinkedIn

Research Team Leader at Cyberint

Table of contents

Related Articles

Akira Ransomware
Research

Akira Ransomware: Published Over 30 New Victims on their DLS

Akira, a rising ransomware-as-a-service star was discovered in March 2023. Since then its victim count...
Nov 18, 2024
Learn more
Coral
Research

Not Your Grandfather’s Hacktivists: How Hacktivism Has Evolved

Fig 1: Crowd Sourcing to campaign against Israel Fig 2: Crowdsourcing to campaign against Russia...
Nov 14, 2024
Learn more
Research

What You Need to Know About the 3CX Supply Chain Attack

Mar 30, 2023

Executive Summary

A supply chain attack that targets customers of the 3CX Voice Over Internet Protocol (VoIP) desktop client has been discovered.

Threat actors have created a digitally signed and malicious version of the software, which is being used to target both Windows and macOS users of the app.

The threat actors are deploying second-stage payloads and are believed to be linked to a North Korean state-backed hacking group, , although this attribution has not been confirmed.

This campaign was given the name “SmoothOperator” and 3CX is still working on a software update that will mitigate it.

Impact Of The 3CX Supply Chain Attack

Over the past two days, a massive supply chain attack was discovered, targeting the 3CX Voice Over Internet Protocol (VOIP) desktop client, which is being used by around 600,000 companies worldwide.

This campaign seems to affect Windows and MacOS machines.

As mentioned, the “SmoothOperator” attack starts with the MSI installer being downloaded from the 3CX’s website or an update being pushed to applications already installed, suggesting that the threat actors behind this campaign were able to compromise 3CX’s infrastructure.

Once the update or the malicious installer is executed, it loads two malicious DLLs – ffmpeg.dll and d3dcompiler_47.dll. These files are responsible for downloading and executing the final phase of the attack from several sources in GitHub.

This campaign will result in data theft, applying backdoors and reverse shells on the victim’s network as it puts the threat actors in a powerful position and with complete control.

Who Carried Out The Attack?

Highly trained individuals are responsible for this campaign and the attack is currently attributed to the North Korean Lazarus Group, although it is not fully confirmed.

Evidence suggests that the GitHub repositories linked to this attack have been active since December 2022.

3CX claim that they are still working on an update that will mitigate this attack, and in the meantime, they recommend reinstalling the 3CX desktop client. In addition, the company also announced that this campaign did not impact iOS and Android versions and it seems that the main fail point of this attack is due to an upstream library they use in their product.

IOCs of the 3CX Supply Chain Attack

SHA-256:

  • 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
  • 11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03

Malicious Domains:

  • akamaicontainer[.]com
  • akamaitechcloudservices[.]com
  • azuredeploystore[.]com
  • azureonlinecloud[.]com
  • azureonlinestorage[.]com
  • dunamistrd[.]com
  • glcloudservice[.]com
  • qwepoi123098[.]com
  • sbmsa[.]wiki
  • sourceslabs[.]com
  • visualstudiofactory[.]com
  • msedgepackageinfo[.]com
  • msstorageazure[.]com
  • msstorageboxes[.]com
  • officeaddons[.]com
  • officestoragebox[.]com
  • pbxcloudeservices[.]com
  • pbxphonenetwork[.]com
  • zacharryblogs[.]com
  • pbxsources[.]com
  • journalide[.]org

 

 

 

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start