Beware: infected 3CX desktop app spread by North Korean hackers


A popular voice-over-internet-protocol (VOIP) software, 3CX, is being abused by attackers to spread a malicious payload. A North Korean threat actor is suspected to be behind the supply-chain attack.

“The affected software is 3CX – a legitimate PBX phone system available on Windows, Linux, Android, and iOS. The application has been abused by the threat actor to add an installer that communicates with various command-and-control (C2) servers,” cybersecurity company Sophos said.

ADVERTISEMENT

A private branch exchange (PBX) is used to manage multiple inbound and outbound lines including call routing and voicemail features.

The 3CX desktop app, available for Windows, macOS, Linux, and mobile operating systems, is used by 600,000 customers in 190 countries. According to the company’s website, McDonald’s, CocaCola, Toyota, BMW, and Mercedes Benz are among its biggest clients.

On March 29, two cybersecurity companies, CrowdStrike and Sophos, observed unexpected malicious activity.

“The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity,” CrowdStrike said.

Both cyber pundits called this a developing situation. The malicious version of the 3CX desktop app affects Windows and macOS users at the time of writing.

“The attack revolves around a DLL sideloading scenario, one with a remarkable number of components involved. This is likely to ensure that customers were able to use the 3CX desktop package without noticing anything unusual about the affected package,” Sophos explained.

Both companies assess that a nation-state threat actor is behind the activity. Namely, CrowdStrike believes Labyrinth Chollima, a North Korean threat actor active since 2009, is spreading the trojanized version of the 3CX desktop.

ADVERTISEMENT