VOIP/PBX software 3CX abused for sideloading attack

SophosNews

Share post

A trojanized version of the popular phone system VOIP/PBX software 3CX is currently making headlines. The business phone system is used by companies in 190 countries worldwide. An installation program including a Trojan is foisted on Windows users via a DLL sideloading attack.

The attack appears to have been a supply chain attack, which allowed attackers to add a desktop application installer that ultimately sideloaded a malicious, encrypted payload via a DLL.

Phone system is secretly attacking

Mat Gangwer, VP Managed Threat Response at Sophos on the current situation: “The attackers managed to manipulate the application to add an installer that uses DLL sideloading. It is through this backdoor that a malicious, encrypted payload is eventually retrieved. This tactic is not new, it is similar to the DLL sideloading activity used in other attacks. We have identified three of the critical components of this DLL sideloading scenario.”

The affected software 3CX is a legitimate software-based PBX phone system available on Windows, Linux, Android and iOS. Currently only Windows systems seem to be affected by the attack. The application was abused by the attackers to add an installer that communicates with various command and control (C2) servers. The current attack is a digitally signed version of the softphone desktop client for Windows that contains a malicious payload. The most frequently observed activity so far after exploiting the vulnerability is the activation of an interactive command line interface (command shell).

PBX phone system for Windows

Sophos MDR first identified malicious activity targeting its own customers originating from 29CXDesktopApp on March 2023, 3. In addition, Sophos MDR determined that the attack used a public file storage to host encrypted malware. This repository has been in use since December 8, 2022.

"The attack itself is based on a DLL sideloading scenario with a remarkable number of components involved," says Matt Gangwer. "This was probably intended to ensure that customers could use the 3CX desktop bundle without noticing anything out of the ordinary."

To date, Sophos has identified the following key components of the attack:

  • 3CXDesktopApp.exe, the clean loader
  • d3dcompiler_47.dll, a DLL with an attached encrypted payload
  • ffmpeg.dll, the trojanized malicious loader

The ffmpeg.dll file contains an embedded URL that fetches a maliciously coded ICO payload. In a normal DLL sideloading scenario, the malicious loader (ffmpeg.dll) would replace the legitimate application; its only function would be to queue the payload. In this case, however, the loader is fully functional as it would normally be in the 3CX product - an additional payload is injected into the DllMain function as a replacement. While this increases the packet size, it may have reduced users' suspicions that something was wrong, as the 3CX application works as expected - even while the trojan is addressing the C2 beacon.

Seen, recognized, blocked

SophosLabs blocked the malicious domains and released the following endpoint detection: Troj/Loader-AF. Additionally, the list of known C2 domains associated with the threat has been blocked. This is further supplemented in the IOC file on the Sophos GitHub. Last but not least, the malicious ffmpeg.dll file is flagged as having low reputation.

More at Sophos.com

 


About Sophos

More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.


 

Matching articles on the topic

Companies spend 10 billion euros on cybersecurity

Germany is arming itself against cyber attacks and is investing more than ever in IT and cyber security. In the current year the ➡ Read more

Qakbot remains dangerous

Sophos X-Ops has discovered and analyzed a new variant of the Qakbot malware. These cases first appeared in mid-December and they ➡ Read more

VexTrio: most malicious DNS threat actor identified

A DNS management and security provider has exposed and blocked VexTrio, a complex criminal affiliate program. This increases cybersecurity. ➡ Read more

A comeback from Lockbit is likely

It is fundamentally important for Lockbit to be visible again quickly. Victims are presumably less willing to pay as long as there are rumors ➡ Read more

LockBit is alive

A few days ago, international law enforcement authorities scored a decisive blow against Lockbit. According to a comment from Chester Wisniewski, Director, Global ➡ Read more

Cyber ​​danger Raspberry Robin

A leading provider of an AI-powered, cloud-delivered cybersecurity platform warns about Raspberry Robin. The malware was first released in the year ➡ Read more

New scam Deep Fake Boss

Unlike classic scams such as the email-based boss scam, the Deep Fake Boss method uses high-tech manipulation ➡ Read more

Classification of the LockBit breakup

European and American law enforcement authorities have managed to arrest two members of the notorious LockBit group. This important strike against the ransomware group ➡ Read more