Everyday is lazarus.dayβ

3CX users under DLL-sideloading attack: What you need to know

2023-03-29, Sophos
#SupplyChain #3CXDesktopApp #SmoothOperator


Sophos X-Ops is tracking a developing situation concerning a seeming supply-chain attack against the 3CX Desktop application, possibly undertaken by a nation-state-related group. This page provides an overview of the situation, a threat analysis, information for hunters, and information on detection protection.
We will update this page as events and understanding develop, including our threat and detection guidance.
[First version published 7pm PDT 29-March-2023]
The affected software is 3CX – a legitimate software-based PBX phone system available on Windows, Linux, Android, and iOS. The application has been abused by the threat actor to add an installer that communicates with various command-and-control (C2) servers.
The software is a digitally signed version of the softphone desktop client for Windows and is packaged with a malicious payload. The most common post-exploitation activity observed to date is the spawning of an interactive command shell.
At present, the only platform confirmed by our customer data to be affected is Windows.
Threat …