Recently, CrowdStrike and SentinelOne released reports about a supply chain attack that involved a popular multi-platform desktop application called 3CXDesktopApp. People use this application to communicate through chat, messaging, video, and voice. Unfortunately, a group of hackers named Lazarus Group carried out the attack and were able to insert harmful code into the official software build. The 3CX App is a popular communication platform that enables users to make and receive calls and send and receive messages through various channels such as SMS, chat, and email. Businesses of all sizes widely use the app as it provides a range of features such as video conferencing, call recording, and CRM integration. However, a recent vulnerability discovered in the 3CX App has put users’ security at risk.
The vulnerability has a CVSS score of 7.8, classified as high.
Attack Timeline of 3CX App
Hackers carried out a supply chain attack on 3CX in September 2021. They managed to infiltrate the company’s build infrastructure and insert malicious code into one of its updates, making the malicious update, version 220.127.116.11, available for download on the company’s website on September 16, 2021. ESET, a cybersecurity company, discovered this attack in November 2021, affecting Windows, Mac, and Linux systems.
Supply chain attacks are a type of cyber attack that target vendors and suppliers of a company rather than the company itself, which can compromise a large number of targets with a single attack. The identity of the attackers also remains unknown.
Supply chain attack in 3CXApp
The hackers utilized different techniques, such as obfuscation, encryption, and domain generation algorithms (DGAs), to execute the attack, conceal their actions, and avoid being detected. They also set up a command and control infrastructure to blend in with legitimate traffic, making it more challenging to identify and block.
As a result of this attack, anyone who downloaded and installed the 3CXDesktopApp software from the developer’s website unknowingly exposed their computer systems to this harmful code. In this attack, attackers targeted Windows and MacOS users, executing the malicious code through a file named 3CXDesktopApp.exe, which loaded a dangerous library file called ffmpeg.dll.
When a user downloaded the software update, it installed a valid signed 3CX MSI installer version 18.12.416, extracting multiple files and executing the 3CXDesktopApp.exe application. This application then loaded the backdoored signed DLL called “ffmpeg.dll” which loaded the d3dcompiler_47.dll containing the encrypted second-stage payload. After decrypting the payload using the RC4 decryption key “3jB(2bsG#@c7” the second-stage payload, a shellcode with embedded DLL, was executed.
The Stage-2 DLL further downloaded an icon file from a GitHub repository, read the encrypted string at the end of the downloaded icon file, and passed it to the ico_decryption() function. The decrypted string revealed the C2 URL: https[:]//glcloudservice[.]com/v1/console, which is the command and control (C2) server used by the hackers to control the attack.
The 3CXDesktopApp downloads updates using the “Update.exe –update <3cx_update_url>” command. This update package includes a valid signed Malicious 3CX MSI installer and the affected 3CX MAC Application.
After the 3CX MSI installer gets executed and multiple files get extracted in the “AppData\Local\Programs\3CXDesktopApp” and the valid signed 3CXDesktopApp.exe is executed. The backdoored signed DLL, “ffmpeg.dll”, is side loaded into the virtual memory based on the DLL search order mechanism.
Next, the backdoored “ffmpeg.dll” loads the d3dcompiler_47.dll into the memory. The ffmpeg.dll looks for a hex byte (FE ED FA CE) in the loaded d3dcompiler_47.dll, containing a second-stage encrypted payload. Once the specific hex byte gets located, it uses the RC4 decryption with the “3jB(2bsG#@c7” key to decrypt the second stage payload. This second stage payload is a shell code with an embedded DLL. Finally, it calls the export function “DllGetClassObject” of the second stage DLL to execute and download further stage payload.
In the Stage-2 DLL then downloads the Icon file from a GitHub repository, reads the icon file, and parses the encrypted string present at the end of the file. This encrypted string is base64 decoded and then passed to a decryption routine. In this case, the decrypted string is the C2 URL: https(:)//glcloudservice.com/v1/console.
The malware performs HTTPS requests to the C2 URL. The final payload delivered in the supply chain attack was an Infostealer that could collect system and browser information, including saved credentials from Brave, Chrome, Edge, and Firefox.DLL_PROCESS_ATTACH and DLL_PROCESS_DETACH are entry points for a dynamic link library (DLL) in Windows. The DLL_PROCESS_ATTACH is called when the DLL is loaded into the memory of a process, while DLL_PROCESS_DETACH is called when the DLL is unloaded. These entry points allow the DLL to perform initialization and cleanup tasks. However, malware can exploit these entry points to execute malicious code when a legitimate process loads or unloads the DLL. For example, a malware author can plant a malicious DLL in a system directory that gets loaded by a fair process. The malware can then execute its malicious code in the context of that process, bypassing security measures.
The provided code is an example of a DllMain function, the entry point for a dynamic link library (DLL) in Windows. When a process loads a DLL, the operating system calls the DllMain function with a reason code that indicates the purpose of the call.
In the case of DLL_PROCESS_DETACH, the code inside the switch statement gets executed when the process is unloading the DLL. Malware authors can exploit this to execute their malicious code at a specific time when the DLL gets unloaded.
The malware author can insert their malicious code in the DLL_PROCESS_DETACH case to execute it when the DLL gets unloaded. The code can perform various malicious activities, such as stealing information, creating backdoors, or downloading and running additional malware. By executing the code when the DLL gets unloaded, the malware can evade detection and remain undetected.
Steps to exploit in Metasploit framework.
- To generate the payload, which embedded in the DLL, use the msfvenom command with the desired options, such as:
The command generates a payload DLL to establish a reverse TCP connection with the IP and port specified.
- To create the malicious DLL, use a command like:
This command creates a DLL that will execute the specified command on the target system.
- Then, embed the payload DLL into the malicious DLL with a command like:
This command embeds the payload DLL generated in the first step into the malicious DLL.
After copying the malicious DLL to the target system, please wait for it to be load by a vulnerable application. Once the DLL loads, the payload will execute and establish a Meterpreter session with the attacker’s system, providing remote access to the target machine.
Indicators of Compromise
We have also added the full list of URIs decrypted from the ICO files previously referenced.
Additional Mac Indicators
To address the 3CX app vulnerability, you should start by identifying any employees who have used the affected versions of the app. Then, ensure you have the latest update installed (version 18.12.422 of the Windows desktop app and the Mac desktop app). If any employees have used the desktop app, the best option is to uninstall the software.
To identify any malicious activity that may have occurred due to the vulnerability, you can follow these steps:
- Check for the presence of files that match the hashes provided in the IoC section.
- If you have an XDR solution, search for connections to the identified URLs and domain names.
- Use Sigma and YARA rules for DNS event searching.
- On MacOS, check for .session-lock, .main-storage, and UpdateAgent files. The high probability of such files in the 3CX application directory indicates that the second malware stage executed. You can use a simple bash script to search for these files.
- You can also follow the advisory released by 3CX related to the attack here https://www.3cx.com/blog/news/desktopapp-security-alert/
Affected 3CX Versions:
Affected 3CX Electron Windows App Versions:
Affected Electron Mac App versions:
The discovery of a critical vulnerability in the 3CX App highlights the importance of taking proactive measures to protect our data. With the right tools and awareness, we can safeguard our communication channels and prevent attackers from exploiting our vulnerabilities. Always update your software, use strong passwords, and be vigilant for suspicious activity.