3CXDesktop App Trojanizes in a Supply Chain Attack
Check Point Customers Remain Protected

What is 3CXDesktop App?

3CXDesktop App is a desktop client of 3CX voice over IP (VoIP) system. The application allows users to communicate within and outside the organization through their desktop or laptops.

The app can record calls and facilitate video conferencing and can be used on Windows, macOS, and Linux operating systems. It’s a tool that businesses use when they have a hybrid or remote workforce and their customers include government service providers like the NHS as well as large enterprises including Coca-Cola, IKEA and Honda.

What Happened?

Over the past few days there are accumulated evidence a Trojanized version of the original 3CXDesktop App client is being downloaded to unsuspecting victims around the world. The Trojanized version includes a malicious DLL file, which replaced an original one which is known to come with the benign version of the app. Then, when the application is loaded, the signed 3CXDesktop App is executing the malicious DLL as part of its predefined execution procedure.

This turned the innocent popular VoIP app into a full blown malware that beacons to remote servers and capable of running second stage malware.

Supply Chain Attack Indeed

This is a classic supply chain attack, although there is no evidence as of writing these lines to any intervention in the source code of 3CXDesktop App. And yet, no one expected the application to be served with a malicious implant.

공급망 공격은 조직과 외부 당사자 간의 신뢰 관계를 악용하도록 설계되었습니다. 이러한 관계에는 파트너십, 공급업체 관계 또는 타사 소프트웨어 사용이 포함될 수 있습니다. 사이버 위협 행위자는 한 조직을 손상시킨 다음 공급망 위로 이동하여 이러한 신뢰할 수 있는 관계를 활용하여 다른 조직의 환경에 액세스할 수 있습니다.

This Joins the Weaponization of Legitimate Tools

The basic layer of cyber protection is recognizing malicious tools and behaviors before they can strike. Security vendors invest substantial resources in the research and mapping of malware types and families, and their attribution to specific threat actors and the associated campaigns, while also identifying TTPs (Techniques, Tactics and Procedures) that inform the correct security cycles and security policy.

To combat sophisticated cybersecurity solutions, threat actors are developing and perfecting their attack techniques, which increasingly rely less on the use of custom malware and shift instead to utilizing non-signature tools. They use built-in operating system capabilities and tools, which are already installed on target systems, and exploit popular IT management tools that are less likely to raise suspicion when detected. Commercial off-the-shelf pentesting and Red Team tools are often used as well. Although this is not a new phenomenon, what was once rare and exclusive to sophisticated actors has now become a widespread technique adopted by threat actors of all types.

Check Point Customers Remain Protected

Supply chain attacks are one of the most complex attack forms. Security vendors cannot rely solely on reputation based or single layered solutions. They need to question activity as seen in the network, endpoints, servers and to connect the dots.

Horizon XDR/XPR is designed to provide comprehensive threat prevention across the enire security estate, with Check Point’s infinity architecture.

The platform immediately blocks cyber threats originating in any part of the environment and prevents them from impacting the org and propagating across additional entities. XDR/XPR represents your last line of cyber defense; an additional layer of security across your consolidated security estate. Horizon XDR/XPR prevents complex attacks where seemingly benign events across different parts of the security estate, add up to a critical threat to your organization. The platform can automatically stop threats from propagating and spreading within your organization, and provides clear forensics as extra validation for the SecOps user.