VOIP/PBX software 3CX abused for sideloading attack


Share post

A trojanized version of the popular phone system VOIP/PBX software 3CX is currently making headlines. The business phone system is used by companies in 190 countries worldwide. An installation program including a Trojan is foisted on Windows users via a DLL sideloading attack.

The attack appears to have been a supply chain attack, which allowed attackers to add a desktop application installer that ultimately sideloaded a malicious, encrypted payload via a DLL.

Phone system is secretly attacking

Mat Gangwer, VP Managed Threat Response at Sophos on the current situation: “The attackers managed to manipulate the application to add an installer that uses DLL sideloading. It is through this backdoor that a malicious, encrypted payload is eventually retrieved. This tactic is not new, it is similar to the DLL sideloading activity used in other attacks. We have identified three of the critical components of this DLL sideloading scenario.”

The affected software 3CX is a legitimate software-based PBX phone system available on Windows, Linux, Android and iOS. Currently only Windows systems seem to be affected by the attack. The application was abused by the attackers to add an installer that communicates with various command and control (C2) servers. The current attack is a digitally signed version of the softphone desktop client for Windows that contains a malicious payload. The most frequently observed activity so far after exploiting the vulnerability is the activation of an interactive command line interface (command shell).

PBX phone system for Windows

Sophos MDR first identified malicious activity targeting its own customers originating from 29CXDesktopApp on March 2023, 3. In addition, Sophos MDR determined that the attack used a public file storage to host encrypted malware. This repository has been in use since December 8, 2022.

"The attack itself is based on a DLL sideloading scenario with a remarkable number of components involved," says Matt Gangwer. "This was probably intended to ensure that customers could use the 3CX desktop bundle without noticing anything out of the ordinary."

To date, Sophos has identified the following key components of the attack:

  • 3CXDesktopApp.exe, the clean loader
  • d3dcompiler_47.dll, a DLL with an attached encrypted payload
  • ffmpeg.dll, the trojanized malicious loader

The ffmpeg.dll file contains an embedded URL that fetches a maliciously coded ICO payload. In a normal DLL sideloading scenario, the malicious loader (ffmpeg.dll) would replace the legitimate application; its only function would be to queue the payload. In this case, however, the loader is fully functional as it would normally be in the 3CX product - an additional payload is injected into the DllMain function as a replacement. While this increases the packet size, it may have reduced users' suspicions that something was wrong, as the 3CX application works as expected - even while the trojan is addressing the C2 beacon.

Seen, recognized, blocked

SophosLabs blocked the malicious domains and released the following endpoint detection: Troj/Loader-AF. Additionally, the list of known C2 domains associated with the threat has been blocked. This is further supplemented in the IOC file on the Sophos GitHub. Last but not least, the malicious ffmpeg.dll file is flagged as having low reputation.

More at Sophos.com


About Sophos

More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.


Matching articles on the topic

Report: 40 percent more phishing worldwide

The current spam and phishing report from Kaspersky for 2023 speaks for itself: users in Germany are after ➡ Read more

BSI sets minimum standards for web browsers

The BSI has revised the minimum standard for web browsers for administration and published version 3.0. You can remember that ➡ Read more

Stealth malware targets European companies

Hackers are attacking many companies across Europe with stealth malware. ESET researchers have reported a dramatic increase in so-called AceCryptor attacks via ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Test: Security software for endpoints and individual PCs

The latest test results from the AV-TEST laboratory show very good performance of 16 established protection solutions for Windows ➡ Read more

FBI: Internet Crime Report counts $12,5 billion in damage 

The FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report, which includes information from over 880.000 ➡ Read more

HeadCrab 2.0 discovered

The HeadCrab campaign against Redis servers, which has been active since 2021, continues to successfully infect targets with the new version. The criminals' mini-blog ➡ Read more