3CX is one of the world's largest developers of VOIP solutions for large corporations. The company's software is used all over the world. According to the latest figures, 3CX provides services to more than 600,000 companies worldwide with daily usage of 12 million people. Among the largest 3CX customers are automobile concerns BMW, Honda, Toyota, Mercedes, fast food chain McDonald's, grocery giant Coca-Cola, American Express Bank, Ikea, and others.
In March 2023, analysts from CrowdStrike and SentinelOne observed typical 3CX VoIP application activity. It was noted that the activity started after downloading the application from the website or updating the installed version. At the same time, many users began to report that their antivirus software flagged the 3CX client application as malicious.
This is what SentinelOne analysts wrote in their report:
- Behavioral detections prevented these trojanized installers from running and led to immediate default quarantine.
- The trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from Github and ultimately leads to a 3rd stage infostealer DLL still being analyzed as of the time of writing.
- The compromise includes a code signing certificate used to sign the trojanized binaries.
- Our investigation into the threat actor behind this supply chain is ongoing. The threat actor has registered a sprawling set of infrastructure starting as early as February 2022, but we don’t yet see obvious connections to existing threat clusters.
According to one version, the North Korean hacker group Labyrinth Collima was behind the attack, although there is no conclusive evidence yet. In addition, as it turned out later, the attack on the company itself resulted from hacking into the supply chain of Trading Technologies.