3CX is a company that provides solutions for business communication. One of these solutions “Electron Desktop app” has been compromised by a threat actor that is possibly a nation state sponsored threat group.

The 3CX app is a private automatic branch exchange (PABX) software that provides several communication functions for its users, including video conferencing, live chat, and call management.

On the 29th of March security solutions provider Crowdstrike alerted on malicious activity coming from a legitimate, signed binary, 3CXDesktopApp (Electron). The malicious activity included beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity.

Further research on this activity led to uncovering a supply chain attack. The compromised installer was obtained via the official website of 3CX. Not only new installations of the application, but also updates of older installations, install the compromised version.

The attacks follow these steps: • 3CXDesktopApp.exe installer sideloads the “ffmpeg.dll” that has been trojanized.

• The “ffmpeg.dll” then sideloads “d3dcompiler_47.dll” that contains encrypted shellcode
• This file then accesses an attacker controlled Github repository that downloads and decrypts to load shellcode.
• This shellcode then gets executed to connect to a C2 server.

According to 3CX it is likely that the issue stems from one of the bundled libraries that they compiled into the Windows Electron App via GIT. Although this is not confirmed yet. 3CX also mentioned that most of the domains used by the Threat actor have been taken down. 

Affected products.

• 3CX Electron Windows App Update 7
  • Version 18.12.407 
  • Version 18.12.416
• 3CX Electron Mac App
  • Version 18.11.1213
  • Version 18.12.402
  • Version 18.12.407
  • Version 18.12.416

Other software such as mobile app, legacy Windows application and PWA (web) app are not impacted since these do not depend on the Electron framework.