Multiple cybersecurity vendors warned that a supply chain attack is using rigged installers of 3CX’s desktop app, which is digitally signed, to target downstream customers. Security researchers have dubbed the activity SmoothOperator, and it pulls ICO files appended with Base64 data from GitHub to ultimately lead to a third-stage infostealer DLL.
The malware is an information stealer, which can gather sensitive data stored in browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, and Brave.
Cybersecurity firm CrowdStrike suspects that the attack is linked to a North Korean nation-state actor it tracks as Labyrinth Chollima, which is a sub-cluster within the notorious Lazarus Group.
3CX is currently working on a software update for its desktop app, and claims to have more than 600,000 customers and 12 million users in 190 countries, including companies like BMW, Pepsi, Toyota, and Ikea.
SentinelOne researchers said that the trojanized 3CX desktop app is the first stage in a multi-stage attack chain. The attack is confined to the Windows Electron client (versions 18.12.407 and 18.12.416) and macOS versions of the PBX phone system.
The infection chain uses the DLL side-loading technique to load a rogue DLL (ffmpeg.dll) that retrieves an icon file (ICO) payload. The GitHub repository hosting the file has since been taken down.
3CX CEO Nick Galea said the company is issuing a new build to fix the issue and is urging customers to uninstall the app and install it again as a workaround. Galea said that the incident occurred because “an upstream library we use became infected.”
According to a follow-up update, the issue appears to be a bundled library that 3CX compiled into the Windows Electron app via git, and the company is further investigating the matter.