A trojanized version of the popular phone system VOIP/PBX software 3CX is currently making headlines. The business phone system is used by companies in 190 countries worldwide. An installation program including a Trojan is foisted on Windows users via a DLL sideloading attack.
The attack appears to have been a supply chain attack, which allowed attackers to add a desktop application installer that ultimately sideloaded a malicious, encrypted payload via a DLL.
Phone system is secretly attacking
Mat Gangwer, VP Managed Threat Response at Sophos on the current situation: “The attackers managed to manipulate the application to add an installer that uses DLL sideloading. It is through this backdoor that a malicious, encrypted payload is eventually retrieved. This tactic is not new, it is similar to the DLL sideloading activity used in other attacks. We have identified three of the critical components of this DLL sideloading scenario.”
The affected software 3CX is a legitimate software-based PBX phone system available on Windows, Linux, Android and iOS. Currently only Windows systems seem to be affected by the attack. The application was abused by the attackers to add an installer that communicates with various command and control (C2) servers. The current attack is a digitally signed version of the softphone desktop client for Windows that contains a malicious payload. The most frequently observed activity so far after exploiting the vulnerability is the activation of an interactive command line interface (command shell).
PBX phone system for Windows
Sophos MDR first identified malicious activity targeting its own customers originating from 29CXDesktopApp on March 2023, 3. In addition, Sophos MDR determined that the attack used a public file storage to host encrypted malware. This repository has been in use since December 8, 2022.
"The attack itself is based on a DLL sideloading scenario with a remarkable number of components involved," says Matt Gangwer. "This was probably intended to ensure that customers could use the 3CX desktop bundle without noticing anything out of the ordinary."
To date, Sophos has identified the following key components of the attack:
- 3CXDesktopApp.exe, the clean loader
- d3dcompiler_47.dll, a DLL with an attached encrypted payload
- ffmpeg.dll, the trojanized malicious loader
The ffmpeg.dll file contains an embedded URL that fetches a maliciously coded ICO payload. In a normal DLL sideloading scenario, the malicious loader (ffmpeg.dll) would replace the legitimate application; its only function would be to queue the payload. In this case, however, the loader is fully functional as it would normally be in the 3CX product - an additional payload is injected into the DllMain function as a replacement. While this increases the packet size, it may have reduced users' suspicions that something was wrong, as the 3CX application works as expected - even while the trojan is addressing the C2 beacon.
Seen, recognized, blocked
SophosLabs blocked the malicious domains and released the following endpoint detection: Troj/Loader-AF. Additionally, the list of known C2 domains associated with the threat has been blocked. This is further supplemented in the IOC file on the Sophos GitHub. Last but not least, the malicious ffmpeg.dll file is flagged as having low reputation.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.