What You Need to Know About the 3CX Supply Chain Attack
What you need to know about the 3cx supply chain attack
  • Table of contents

The author

user_image
Shmuel Gihon
Share on LinkedIn

Research Team Leader at Cyberint

Table of contents

Related Articles

Recent Supply Chain Attacks Examined
Research

The Weak Link: Recent Supply Chain Attacks Examined

We examine the recent supply chain attack growth, especially in 2022/3, the evolution of TTPs,...
Apr 16, 2024
Learn more
ra group
Research

The Uptick in RA Group Ransomware’s Activity

The actor is rapidly expanding its operations. RA Group opened its data leak site on...
Apr 8, 2024
Learn more
Research

What You Need to Know About the 3CX Supply Chain Attack

Mar 30, 2023

Executive Summary

A supply chain attack that targets customers of the 3CX Voice Over Internet Protocol (VoIP) desktop client has been discovered.

Threat actors have created a digitally signed and malicious version of the software, which is being used to target both Windows and macOS users of the app.

The threat actors are deploying second-stage payloads and are believed to be linked to a North Korean state-backed hacking group, , although this attribution has not been confirmed.

This campaign was given the name “SmoothOperator” and 3CX is still working on a software update that will mitigate it.

Impact Of The 3CX Supply Chain Attack

Over the past two days, a massive supply chain attack was discovered, targeting the 3CX Voice Over Internet Protocol (VOIP) desktop client, which is being used by around 600,000 companies worldwide.

This campaign seems to affect Windows and MacOS machines.

As mentioned, the “SmoothOperator” attack starts with the MSI installer being downloaded from the 3CX’s website or an update being pushed to applications already installed, suggesting that the threat actors behind this campaign were able to compromise 3CX’s infrastructure.

Once the update or the malicious installer is executed, it loads two malicious DLLs – ffmpeg.dll and d3dcompiler_47.dll. These files are responsible for downloading and executing the final phase of the attack from several sources in GitHub.

This campaign will result in data theft, applying backdoors and reverse shells on the victim’s network as it puts the threat actors in a powerful position and with complete control.

Who Carried Out The Attack?

Highly trained individuals are responsible for this campaign and the attack is currently attributed to the North Korean Lazarus Group, although it is not fully confirmed.

Evidence suggests that the GitHub repositories linked to this attack have been active since December 2022.

3CX claim that they are still working on an update that will mitigate this attack, and in the meantime, they recommend reinstalling the 3CX desktop client. In addition, the company also announced that this campaign did not impact iOS and Android versions and it seems that the main fail point of this attack is due to an upstream library they use in their product.

IOCs of the 3CX Supply Chain Attack

SHA-256:

  • 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
  • 11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03

Malicious Domains:

  • akamaicontainer[.]com
  • akamaitechcloudservices[.]com
  • azuredeploystore[.]com
  • azureonlinecloud[.]com
  • azureonlinestorage[.]com
  • dunamistrd[.]com
  • glcloudservice[.]com
  • qwepoi123098[.]com
  • sbmsa[.]wiki
  • sourceslabs[.]com
  • visualstudiofactory[.]com
  • msedgepackageinfo[.]com
  • msstorageazure[.]com
  • msstorageboxes[.]com
  • officeaddons[.]com
  • officestoragebox[.]com
  • pbxcloudeservices[.]com
  • pbxphonenetwork[.]com
  • zacharryblogs[.]com
  • pbxsources[.]com
  • journalide[.]org

 

 

 

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start