Everyday is lazarus.dayβ

Threat Advisory: 3CX Softphone Supply Chain Compromise

2023-03-30, CiscoTalos
#SupplyChain #3CXDesktopApp #SmoothOperator


- Cisco Talos is tracking and actively responding to a supply chain attack involving the 3CX Desktop Softphone application.
- This is a multi-stage attack that involves sideloading DLLs, seven-day sleep routines, and additional payloads dependent on a now-removed GitHub repository for Windows based systems.
- MacOS systems used a different infection chain leveraging a hardcoded C2 domain, as opposed to the GitHub repo.
- This is just the latest supply chain attack threatening users, after the SolarWinds incident in 2020 and the REvil ransomware group exploiting Kaseya VSA in 2021.
Cisco Talos recently became aware of a supply chain attack affecting Windows and MacOS users of the 3CX software-based phone application. This attack leveraged the legitimate update functionality of the 3CX application to deliver a set of malicious payloads to 3CX users.
The infection chain consists of several stages and involves sideloading DLLs along with a seven-day sleep cycle before the malware attempts to …