3CX Desktop App Supply Chain Attack (SmoothOperator) Analysis

Keep up to date with latest blog posts

On March 29, 2023, CrowdStrike disclosed that 3CXDesktopApp, a popular softphone application from 3CX, was compromised as a part of a supply chain attack [1]. Adversaries were able to trojanize a legitimate and signed binary 3CXDesktopApp for their malicious activities. The attack, dubbed "SmoothOperator", was attributed to a North Korean APT group Labyrinth Chollima, a subset of the notorious Lazarus group. 

Picus Labs added new attack simulations for 3CX Desktop App supply chain compromise and related second-stage payloads to Picus Threat Library. In this blog, we explained the malicious techniques used by Labyrinth Chollima and how to mitigate them.

Simulate Supply Chain Attacks with 14-Day Free Trial of Picus Platform

3XC Desktop App Supply Change Attack Key Findings

  • The earliest detected malicious activity suggests that the attack started on March 22, 2023.
  • Both the Windows and macOS versions of 3CXDesktopApp were affected.
  • Trojanized 3CXDesktopApp versions were used to deploy second-stage payloads for reconnaissance, C2 communication, and exfiltration.
  • The attack pattern suggests that 3CX was compromised by the APT group beforehand, allowing adversaries to insert malicious code into 3CXDesktopApp.
  • The automatic update feature of 3CXDesktopApp may lead to the compromise of unaware users' hosts.
  • As of March 31, there is no patch available that fixes 3CXDesktopApp. 3CX advises its users to use the web version of the product, Progressive Web App (PWA).

3CX Supply Chain Attack - SmoothOperator

3CX is a software maker that specializes in enterprise communications, such as VoIP and PBX services. 3CX has more than 600,000 customers and 12 million users worldwide [2]. In the last week of March 2023, several security vendors and teams started to notice suspicious activity originating from 3CXDesktopApp. Further investigation showed that adversaries were able to compromise 3CX and trojanize 3CXDesktopApp Windows and macOS versions. Since the trojanized 3CXDesktopApp versions were signed by 3CX's digital certificate, users and security controls did not flag the binary as malware when downloaded or installed. 

Supply chain attacks are emerging threats that target software developers and suppliers. The goal is to access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware [3].

This attack was named as SmoothOperator and attributed to Labyrinth Chollima, an APT group associated with the infamous North Korean threat group Lazarus. Earlier findings suggest that the SmoothOperator campaign has been in the making since February 2022. In March 2023, the APT group inserted malicious code into the 3CXDesktopApp binary, and unsuspecting users installed the tainted versions via direct downloads or updates. The affected versions of 3CXDesktopApp versions are given below. Although these versions are signed via 3CX's digital certificates, users are advised not to use these versions.

  • 3CX DesktopApp - Electron Windows App
    • versions 18.12.407 and 18.12.416
  • 3CX DesktopApp - Electron Mac App
    • versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416

After installation, the compromised versions of 3CXDesktopApp contact adversary-control C2 servers and install an info stealer malware named ICONICSTEALER. This malware is used to steal sensitive data from compromised systems.

Execution Flow of SmoothOperator 3CX Supply Chain Attack

The SmoothOperator supply chain attack starts with the installation of the compromised 3CXDesktopApp. The 3CXDesktopApp application is available for major operating systems such as Windows, macOS, and Linux. The application can be downloaded from 3CX's website, and it offers an auto-update feature. Therefore, many users and organizations may be affected and unaware of the malware-laced versions of 3CXDesktopApp.

  • The installer MSI package includes the following compromised files. This MSI package is signed by 3CX's digital certificate. Therefore, some security controls may not flag it as malware.
    • 3CXDesktopApp.exe: A normal executable that sideloads "ffmpeg.dll". 
  • ffmpeg.dll: Trojanized DLL file that loads and executes the malicious and encrypted shellcode from "d3dcompiler_47.dll".
  • d3dcompiler_47.dll: Malicious DLL file that leads to attacker-controlled GitHub repository.
  • After installing the MSI package and executing the "3CXDesktopApp.exe", the executable looks for the malicious DLL files. If they are present, the executable sideloads the trojanized "ffmpeg.dll".
  • While the "ffmpeg.dll" still contains its legitimate functionalities, adversaries added a malicious function to the trojanized DLL file. The malicious function reads the "d3dcompiler_47.dll" and finds the malicious and encrypted shellcode.
  • The encrypted shellcode is encrypted with RC4, and its decryption key is "3jB(2bsG#@c7". After decryption and execution of the shellcode, the malicious function accesses the adversary-controlled GitHub repository to download the malicious ICO files. These ICO files contain the URL addresses of the adversaries' C2 servers, and this information is encrypted with Base64 and AES+GCM encryption.
  • After decrypting the URL addresses, the shellcode connects to C2 servers to download and deploy the ICONIC infostealer malware.

Figure 1: Execution Flow of SmoothOperator Supply Chain Attack [4]

How Picus Helps Simulate SmoothOperator 3CXDesktopApp Supply Chain Attacks?

We also strongly suggest simulating SmoothOperator attacks to test the effectiveness of your security controls against supply chain attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against other notable supply chain attacks, such as SolarWinds Attacks (aka SUNBURST), within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for SmoothOperator 3CXDesktopApp Supply Chain Attacks

Threat ID

Threat Name

Attack Module

64221

3CX Supply Chain Campaign Malware Download Threat

Network Infiltration

58270

3CX Supply Chain Campaign Malware Email Threat

Email Infiltration (Phishing)

Moreover, Picus Threat Library contains 300+ threats containing 3000+ web application and vulnerability exploitation attacks in addition to 1500+ endpoint, 8000+ malware, email and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address 3CXDesktopApp Supply Chain Attacks and other supply chain attacks in preventive security controls. Currently, Picus Labs validated the following signatures for 3CXDesktopApp Supply Chain Attacks:

Security Control

Signature ID

Signature Name

Forcepoint NGFW

 

File_Malware-Blocked 

Fortigate AV

10131498

Riskware/Sphone_XC3

Fortigate AV

10131470

W64/Agent.CFM!tr

McAfee

0x4840c900

MALWARE: Malicious File Detected by GTI

Palo Alto NGFW

577556802

Virus/Win32.WGeneric.dyeuam

Palo Alto NGFW

577527837

Virus/Win32.WGeneric.dyerjc

Palo Alto NGFW

577560180

Virus/Win32.WGeneric.dyeujy

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus The Complete Security Validation Platform.

References

[1] "// 2023-03-29 // SITUATIONAL AWARENESS // CrowdStrike Tracking Active Intrusion Campaign Targeting 3CX Customers //," reddit. [Online]. Available: https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/. [Accessed: Mar. 31, 2023]

[2] "Business Communication Solutions & Software," 3CX, Jan. 31, 2013. [Online]. Available: https://www.3cx.com/. [Accessed: Mar. 31, 2023]

[3] Dansimp, "Supply chain attacks." [Online]. Available: https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/supply-chain-malware. [Accessed: Mar. 31, 2023]

[4] "3CXDesktop App Supply Chain Attack," Check Point Software, Mar. 29, 2023. [Online]. Available: https://blog.checkpoint.com/2023/03/29/3cxdesktop-app-trojanizes-in-a-supply-chain-attack-check-point-customers-remain-protected/. [Accessed: Mar. 31, 2023]

Subscribe

Keep up to date with latest blog posts