Popular softphone weaponised in supply chain attack

Business telephony vendor 3CX is warning users of its softphone to uninstall the software and switch to its equivalent web app, following what it calls a supply-chain attack.

CEO Nick Galea posted that the malware “affects the Windows Electron client for customers running update 7."

“It was reported to us [last] night and we are working on an update to the DesktopApp which we will release in the coming hours," he wrote.

“We strongly recommend using our PWA client instead. It really does 99 percent of the client app and is fully web-based and this type of thing can never happen."

Galea also said that Windows Defender users will already have noticed the app has been uninstalled.

The malware was discovered independently by SentinelOne and CrowdStrike.

SentinelOne said it first noticed malicious activity originating from the 3CX software on March 22.

“The trojanised 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from GitHub and ultimately leads to a third stage infostealer DLL still being analysed as of the time of writing," SentinelOne said.

CrowdStrike said it observed similar behaviour on March 29.

The malicious activity, CrowdStrike said, emanated from “a legitimate, signed binary, 3CXDesktopApp”.

The activity “includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity," it said.

“CrowdStrike Intelligence has assessed there is suspected nation-state involvement by the threat actor LABYRINTH CHOLLIMA,” the company said.

On its website, 3CX claims it has 600,000 business customers and 12 million daily users.