This advisory is for organizations that use 3CXDesktopApp product: Electron Windows/MacOS App. This application is used by businesses to provide VoIP services.
This has not received a CVE or CVSS indicator yet, but this should be considered a critical vulnerability.
Supply Chain Attack 3CXDesktopApp
3CX has notified their clients that the 3CX VoIP Desktop Application has been compromised to allow it to deliver malware via legitimate 3CX update pathways in a supply-chain attack. As of this time there is no patch available and leaving the application active within the environment has the potential to expose organizations to threat actors.
Electron Windows App
Electron Mac App
The signed binary: 3CXDesktopApp.exe, executes an update process which conducts command-and-control (C2) communication to numerous external servers. The updater pulls down trojanized updates, including the backdoored ffmpeg.dll which then downloads and extracts a secondary payload d3dcompiler_47.dll. Current reports are that the final payload goes into a rest state for 7 days before reaching out to GitHub https[:]//raw.[.]githubusercontent[.]com/IconStorages/images/main/icon%d.ico to decrypt C2 URLs and begin communication. Current observed C2 URLs include:
It’s important to note that though the GitHub page has been taken down, it’s unknown if this will fully remediate the malware or whether attackers still have other access available to deployments with the introduced vulnerability.
Windows Defender is detecting this attack chain using the threat name Trojan:Win64/SamScissor.
Multiple AntiVirus packages have been reported to detect this application as malicious.