VOIP/PBX software 3CX abused for sideloading attack


Share post

A trojanized version of the popular phone system VOIP/PBX software 3CX is currently making headlines. The business phone system is used by companies in 190 countries worldwide. An installation program including a Trojan is foisted on Windows users via a DLL sideloading attack.

The attack appears to have been a supply chain attack, which allowed attackers to add a desktop application installer that ultimately sideloaded a malicious, encrypted payload via a DLL.

Phone system is secretly attacking

Mat Gangwer, VP Managed Threat Response at Sophos on the current situation: “The attackers managed to manipulate the application to add an installer that uses DLL sideloading. It is through this backdoor that a malicious, encrypted payload is eventually retrieved. This tactic is not new, it is similar to the DLL sideloading activity used in other attacks. We have identified three of the critical components of this DLL sideloading scenario.”

The affected software 3CX is a legitimate software-based PBX phone system available on Windows, Linux, Android and iOS. Currently only Windows systems seem to be affected by the attack. The application was abused by the attackers to add an installer that communicates with various command and control (C2) servers. The current attack is a digitally signed version of the softphone desktop client for Windows that contains a malicious payload. The most frequently observed activity so far after exploiting the vulnerability is the activation of an interactive command line interface (command shell).

PBX phone system for Windows

Sophos MDR first identified malicious activity targeting its own customers originating from 29CXDesktopApp on March 2023, 3. In addition, Sophos MDR determined that the attack used a public file storage to host encrypted malware. This repository has been in use since December 8, 2022.

"The attack itself is based on a DLL sideloading scenario with a remarkable number of components involved," says Matt Gangwer. "This was probably intended to ensure that customers could use the 3CX desktop bundle without noticing anything out of the ordinary."

To date, Sophos has identified the following key components of the attack:

  • 3CXDesktopApp.exe, the clean loader
  • d3dcompiler_47.dll, a DLL with an attached encrypted payload
  • ffmpeg.dll, the trojanized malicious loader

The ffmpeg.dll file contains an embedded URL that fetches a maliciously coded ICO payload. In a normal DLL sideloading scenario, the malicious loader (ffmpeg.dll) would replace the legitimate application; its only function would be to queue the payload. In this case, however, the loader is fully functional as it would normally be in the 3CX product - an additional payload is injected into the DllMain function as a replacement. While this increases the packet size, it may have reduced users' suspicions that something was wrong, as the 3CX application works as expected - even while the trojan is addressing the C2 beacon.

Seen, recognized, blocked

SophosLabs blocked the malicious domains and released the following endpoint detection: Troj/Loader-AF. Additionally, the list of known C2 domains associated with the threat has been blocked. This is further supplemented in the IOC file on the Sophos GitHub. Last but not least, the malicious ffmpeg.dll file is flagged as having low reputation.

More at Sophos.com


About Sophos

More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.


Matching articles on the topic

Vulnerabilities in Netgear Nighthawk RAX30 routers

A combination of five vulnerabilities in Netgear Nighthawk RAX30 routers allows attackers to monitor, manipulate and take over Internet traffic ➡ Read more

Regulation of AI software

Efforts are being made worldwide to define a legal framework for artificial intelligence. There were hearings before the US Congress in which ➡ Read more

Well-known vulnerabilities remain unnoticed

Earlier this week, CISA announced that it had added new Linux vulnerabilities to its catalog, warning that ➡ Read more

ChatGPT Fake Apps: Expensive subscriptions for zero features

A Sophos report uncovers the rip-off by costly ChatGPT impersonators: The scam apps continue to thrive due to loopholes in app store policies from ➡ Read more

First enterprise XDR solution for ChromeOS

CrowdStrike Falcon Insight XDR helps customers manage their ChromeOS device fleet and get visibility without having to use a mobile ➡ Read more

Cloud-native security

As cloud infrastructure becomes more important, securing it has become a key issue for government agencies. Therefore ➡ Read more

Cyber ​​espionage: Fileless Malware DownEX discovered

Bitdefender Labs experts have discovered a new malware family. The demanding and very targeted attack under the name ➡ Read more

Mobile security with app anomaly detection

Otherwise harmless apps can suddenly be compromised after the update, as can newly installed apps. Bitdefender has in its mobile ➡ Read more