3CX app updates delivered multi-stage malware
Attackers compromised 3CX's build process and shipped malware through signed Desktop App updates for Windows and macOS to a customer base spanning hundreds of thousands of organizations.
Story
The 3CX incident is the cleanest modern example of one supply-chain attack becoming another. Mandiant found that the first known intrusion path into 3CX came from a trojanized X_TRADER installer downloaded from Trading Technologies' legitimate website. That earlier compromise installed VEILEDSIGNAL, giving the attacker a foothold that eventually reached 3CX's build environment.
Once inside 3CX, the actor compromised both Windows and macOS build systems. The Windows side used TAXHAUL and COLDCAT in the build environment, while the macOS build server carried POOLRAT. Signed 3CX Desktop App installers then became the distribution channel, carrying malicious code through normal vendor downloads and updates.
The shipped Desktop App malware ran SUDDENICON, which pulled command-and-control data from encrypted icon files hosted on GitHub. The decrypted infrastructure was then used to retrieve ICONICSTEALER, a dataminer focused on browser and application configuration data. Mandiant tied the activity to UNC4736, assessed as a suspected North Korean cluster with overlap to financially motivated AppleJeus activity.
The early response added another lesson. The Register reported that SentinelOne saw suspicious activity on March 22, 2023, but 3CX treated the alert as a likely false positive after VirusTotal checks came back clean. CrowdStrike reporting on March 29 forced the issue into the open, and 3CX told customers to move to the PWA while the desktop app was investigated.
Affected Artifacts
- Observed
- 2022-12-07 to 2023-03-30
- Fixed
- Not listed
- Hashes
-
- sha256:53a44c2396d15c3a03723fa5e5db54cafd527b9eceb8f99aeffcf6f8c609e5f4
- sha256:2b5fe5a62855dc3e818d0d1359e0ba773bdd2ec3fa3a770be87b4dd6baf02c43
- Evidence
- distribution: downloads.3cx.com/downloads/3CXDesktopApp-18.12.407.msi, distribution: downloads.3cx.com/downloads/3CXDesktopApp-18.12.416.msi, malware: SUDDENICON, malware: ICONICSTEALER , +7 more
- Observed
- 2022-12-07 to 2023-03-30
- Compromised Versions
- Fixed
- Not listed
- Hashes
-
- sha256:e3364af12a49468c61480c2f7c76a593ea6cb89bedc86b3f9b989697c08977be
- sha256:7145fbd6ccce5469270baa43ea5dcb323f64d0ca0ee210ac9ba7e2c3ea3162e5
- Evidence
- distribution: downloads.3cx.com/downloads/3CXDesktopApp-18.12.407.dmg, distribution: downloads.3cx.com/downloads/3CXDesktopApp-18.12.416.dmg, malware: POOLRAT, malware: SIMPLESEA , +2 more
- Observed
- 2022-04-01 to 2022-12-07
- Compromised Versions
- Fixed
- Not listed
- Hashes
-
- md5:ef4ab22e565684424b4142b1294f1f4d
- Evidence
- distribution: tradingtechnologies.com, file: X_TRADER_r7.17.90p608.exe, file: Setup.exe, malware: VEILEDSIGNAL , +5 more
- Mandiant identified the trojanized X_TRADER installer as the initial intrusion vector into 3CX's network, making this a supply-chain attack that led to another supply-chain attack.
Incident Context
- Motive
- Espionage
- Attribution
- State
- Cause
- Build System Compromise
- Transitive
- Yes
- Actor
- UNC4736
- Actor Country
- North Korea
- User Impact
- 600000
Indicators
- Locationmirror: malware-research.org/3cx-supply-chain-attack-iocs-indicators-of-compromise
- Locationmirror: crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers
- Locationmirror: github.com/sophoslabs/IoCs/blob/master/3CX-IoCs.csv
- Locationmirror: virustotal.com/gui/file/53a44c2396d15c3a03723fa5e5db54cafd527b9eceb8f99aeffcf6f8c609e5f4
- Locationmirror: securelist.com/the-3cx-incident-what-we-know/109371
- Locationmirror: cloud.google.com/blog/topics/threat-intelligence/3cx-software-supply-chain-compromise
External References
Source record: proprietary/3cx/meta.yaml