Downloading the official 3CX desktop app, often likened to Skype, seemed safe. It came with valid digital signatures from the company, confirming its legitimacy. However, running this application could infect your computer with malware, including an info stealer, a backdoor for attackers, and potential remote control capabilities.
3CX is not an obscure software; it’s a widely used business phone application. Large companies like Pepsi, NHS, PwC, and many others utilize this software. In the modern office environment, 3CX has replaced traditional telephone lines, enabling colleagues to communicate easily.
How the Incident Unfolded
The trouble began over a week ago when CrowdStrike noticed unusual malicious activity from a legitimate 3CX binary. Analysts detected suspicious connections to hacker infrastructure and the deployment of malicious payloads, all stemming from the 3CX desktop app. Alarmingly, there was evidence of hands-on keyboard activity from the attackers.
This discovery led to numerous posts on 3CX forums, where users reported malware detections by their antivirus software. Instead of addressing the issue, 3CX’s initial response was to deflect blame, claiming their software couldn't be compromised. Users who persisted were banned. Eventually, the CEO issued a statement emphasizing transparency and cybersecurity, though many saw it as too little, too late.
Analyzing the Malware
Examining the MSI installer on VirusTotal, 39 out of 59 engines detected it as malicious. The primary executable, 3cxdesktopapp.exe, ran alongside a malicious DLL, ffmpeg.dll. Normally, ffmpeg.dll is a legitimate library used for audio and video processing. However, in this case, it had been altered with shell code, making it a vehicle for the malware.
This modified DLL, alongside others like d3dcompiler.dll, contained encrypted shell codes and instructions. These were base64 encoded to evade detection, showing a high level of sophistication in the attack. Analysts faced challenges due to the multiple layers of obfuscation, making it difficult to detect the malware at a glance.
Broader Implications
The attack’s implications are severe, potentially affecting hundreds or thousands of businesses using 3CX. This incident highlights the inadequacy of relying solely on official sources for cybersecurity. Even well-regarded software can become a threat if compromised.
Modern malware often embeds itself in various file types, not just executable files (.exe). MSI files, DLLs, JavaScript, Python scripts, and batch files can all harbor malicious code. Relying solely on antivirus configurations to scan .exe files is no longer sufficient in 2023.
The Importance of Comprehensive Cybersecurity
Despite the sophistication of the attack, antivirus software remains a critical defense layer. Early detections, even if not immediate, can mitigate damage. For instance, some antivirus engines detected the 3CX malware days before others, underscoring the value of robust antivirus solutions.
Conclusion
This incident underscores the need for vigilant cybersecurity practices. Businesses must stay informed about potential threats and maintain comprehensive security measures, including using reliable antivirus software. In a landscape where even trusted applications can be compromised, proactive defense is essential.
For a detailed cybersecurity test of your business, feel free to reach out to TPSC Tech. And for a comprehensive security solution, consider the latest offerings from F-Secure, featuring integrated UI, automated behavior blockers, and dark web monitoring. Stay informed and stay secure.
No comments