Automatic Updates Deliver Malicious 3CX Upgrades to Enterprises

In a SolarWinds-like attack, compromised, digitally signed versions of 3CX DesktopApp are landing on user systems via the vendors update mechanism.

Security researchers are sounding the alarm on what may well be another major SolarWinds or Kaseya-like supply chain attack, this time involving Windows and Mac versions of a widely used video conferencing, PBX, and business communication app from 3CX.
On March 30, multiple security vendors said they had observed legitimate, digitally signed versions of the 3CX DesktopApp bundled with malicious installers landing on user desktops via the companys official automatic update process, as well as via manual updates. The end result is a data-stealing malware being implanted as part of a likely cyber-espionage effort by an advanced persistent threat (APT) actor.
The potential impact of the new threat could be huge. 3CX claims some 600,000 installations worldwide with over 12 million daily users. Among its numerous big-name customers are companies like American Express, Avis, Coca Cola, Honda, McDonalds, Pepsi, and Toyota.
CrowdStrike assessed
that the threat actor behind the campaign is Labyrinth Chollima, a group that many researchers believe is linked with the cyber-warfare unit of North Koreas intelligence agency, the Reconnaissance General Bureau (RGB). Labyrinth Chollima
is one of four groups
that CrowdStrike has assessed are part of North Koreas larger Lazarus Group.
The threat is still very much an active one. Currently, the very latest installers and updates available on the public 3CX website are still the compromised and backdoored applications that are noted as known bad by numerous security firms, says John Hammond, senior security researcher at Huntress.
The weaponized app arrives on a host system when the 3CX Desktop Application automatically updates, or when a user grabs the latest version proactively. Once pushed to a system, the signed 3CX DesktopApp executes a malicious installer, which then beacons out to an attacker-controlled server, pulls down a second-stage, information-stealing malware from there, and installs it on the users computer. CrowdStrike, one of the first to report on the threat on March 29, said in a few instances it had also observed malicious hands-on-keyboard activity on systems with the Trojanized 3CX app.
In a message early on March 30, 3CX CEO Nick Galea urged users to
immediately uninstall
the app, adding that Microsoft Windows Defender would do that automatically for users running the software. Galea urged customers that want the apps functionality to use the Web client version of the technology while the company works on delivering an update.
A
security alert
from 3CX CISO Pierre Jourdan identified the affected apps as Electron Windows App, shipped in Update 7, version numbers 18.12.407 & 18.12.416 and Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407, & 18.12.416. The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT, Jourdan said.
Neither Jourdan nor Galeas messages gave any indication of how the attacker managed to gain the access they needed to trojanize a signed 3CXDekstopApp.exe binary. But at least two security vendors that have analyzed the threat say it could have only happened if the attackers were in 3CXs development or build environment — in the same manner that SolarWinds was compromised.
Although only 3CX has the complete picture of what happened, so far, from the forensics, we assess with high confidence that the threat actor had access to the production pipeline of 3CX, says Lotem Finkelstein, director of threat intelligence & research at Check Point Software. The files are signed with 3CX certificates, the same as used for the previous benign versions. The code is built in a way that it keeps working as it normally should but also adds some malware.
Finkelstein says
Check Points investigation
confirms that the Trojanized version of the 3CX DesktopApp is being delivered through either manual download or regular updates from the official system.
Dick OBrien, principal intelligent analyst at Symantec Threat Hunter team, says the threat actor does not appear to have
touched the main executable itself
. Instead, the APT compromised two dynamic link libraries (DLLs) that were delivered along with the executable in the installer.
One DLL was replaced with a completely different file with the same name, OBrien says. The second was a Trojanized version of the legitimate DLL [with] the attackers essentially appending it with additional encrypted data. The attackers have used a technique, known as DLL sideloading, to trick the legitimate 3CX binary to load and execute the malicious DLL, he says.
OBrien agrees that the attacker would have needed access to 3CXs production environment to pull off the hack. How they did that remains unknown. But once they had access to the build environment, all they had to do was drop two DLLs into the build directory.
Researchers at Huntress
tracking the threat
said they had so far sent out a total of 2,595 incident reports to customers warning them of hosts running susceptible versions of the 3CX desktop application. In these instances, the software matched the hash or identifier for one of the known bad applications.
The final stage of the attack chain as we know it is reaching out to the command-and-control servers, however, this appears to be on a set timer after seven days, says Huntress Hammond. A Shodan search that Huntress conducted showed 242,519 publicly exposed 3CX systems, though the issues impact is broader than just that set of targets.
The updates received by the signed 3CX Desktop Application are coming from the legitimate 3CX update source, so at first blush, this looks normal, he adds. Many end users did not expect the original and valid 3CX application to suddenly be setting off alarm bells from their antivirus or security products, and in the early timeline where there was not much information uncovered, and there was some confusion over whether the activity was malicious or not, he says.
Hammond compares this incident to the
breaches at SolarWinds
and at Kaseya.
With SolarWinds, attackers — likely linked with Russias Foreign Intelligence Service — broke into the companys build environment and inserted a few lines of malicious code into updates for its Orion network management software. Some 18,000 customers received the updates, but the threat actor was really targeting only a small handful of them for subsequent compromise.
The
attack on Kaseyas VSA
remote management technology resulted in more than 1,000 downstream customers of its managed service provider customers being impacted and subsequently targeted for ransomware delivery. The two attacks are examples of a growing trend of threat actors targeting trusted software providers and entities in the
software supply chain
to reach a broad set of victims. Concerns over the threat prompted President Biden to
issue an executive order
in May 2021 that contained specific requirements for bolstering supply chain security.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Automatic Updates Deliver Malicious 3CX Upgrades to Enterprises