A digitally signed, Trojan-protected version of the 3CX Voice Over Internet Protocol (VOIP) desktop client is reportedly being used to target corporate customers as part of an ongoing supply chain attack.

3CX is a VoIP IP PBX software development company whose 3CX phone system is used by over 600,000 businesses worldwide and has over 12 million daily users.

THE company client list includes a long list of leading companies and organizations like American Express, Coca-Cola, McDonald’s, BMW, Honda, AirFrance, NHS, Toyota, Mercedes-Benz, IKEA and HolidayInn.

According to alerts from security researchers from Sophos and CrowdStrike, attackers are targeting both Windows and macOS users of the compromised 3CX softphone app.

“Malicious activity includes tagging to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on keyboard activity,” the threat intelligence team said. CrowdStrike threats. said.

“The most common post-exploit activity observed to date is the creation of an interactive command shell,” Sophos added in an advisory posted through its Managed Detection and Response service.

As CrowdStrike suspects a North Korean state-backed hacking group, it follows as Labyrinth Collima is behind this attack, Sophos researchers say they “cannot verify this attribution with a high degree of confidence”.

The activity of Labyrinth Collima is known to overlap with other threat actors tracked like Lazarus Group by Kaspersky, Covellite by Dragos, UNC4034 by Mandiant, Zinc by Microsoft and Nickel Academy by Secureworks.

“CrowdStrike has a thorough analysis process when it comes to opponent naming conventions,” the company told BleepingComputerr via email.

“LABYRINTH CHOLLIMA is a subset of what has been described as the Lazarus Group, which includes other adversaries linked to the DPRK, including SILENT CHOLLIMA And STARDUST CHOLLIMA.”

SmoothOperator software supply chain attack

SentinelOne also revealed in a report on Thursday that the trojanized 3CX desktop app downloads icon files hosted on GitHub that contain Base64-encoded strings appended to images.

The attackers behind this software supply chain attack, dubbed SmoothOperator by SentinelOne, first uploaded one of these icon files to their repository on December 7, 2022.

The app uses these Base64 strings to download a final payload to compromised devices, a previously unknown information-stealing malware.

This new malware is capable of collecting system information and stealing stored data and credentials from Chrome, Edge, Brave and Firefox user profiles.

“At this time, we cannot confirm that Mac Installer is also infected with a Trojan. Our ongoing investigation includes additional applications such as the Chrome extension that could also be used to stage attacks “, SentinelOne said.

“The threat actor has registered a large set of infrastructure as of February 2022, but we don’t yet see any obvious links to existing threat clusters.”

Marked as malicious by security software

CrowdStrike reports that the trojanized version of the 3CX desktop client will connect to one of the following attacker-controlled domains:

Some of the domains mentioned by clients that the desktop client tried to connect to include azureonlinestorage[.]com, msstorageboxes[.]com and msstorageazure[.]com.

BleepingComputer tested an allegedly trojanized version of the software but was unable to trigger connections to these domains.

However, several customers in the 3CX forums have stated that they have been receiving alerts for a week, March 22indicating that the VoIP client application has been marked as malicious by SentinelOne, CrowdStrike, ESET, Palo Alto NetworksAnd sonic wall security software.

Customers report that security alerts are triggered after installing 3CXDesktopApp Windows versions 18.12.407 and 18.12.416 or 18.11.1213 and latest version on Mac.

One of the examples of 3CX softphone clients infected with a Trojan share by CrowdStrike was digitally signed over three weeks ago on March 3, 2023 with a legitimate 3CX Ltd certificate issued by DigiCert.

BleepingComputer confirmed that this same certificate was used in older versions of the software.

While SentinelOne detects “penetration framework or shellcode” when scanning the 3CXDesktopApp.exe binary and ESET marks it as a “Win64/Agent.CFM” Trojan, the Falcon Managed Threat Hunting Service CrowdStrike’s OverWatch warns users to investigate their systems for malicious activity “as a matter of urgency”. “

Even though 3CX support team members tagged it as a potential SentinelOne false positive in one of the forum threads filled with customer reports on Wednesday, the company has yet to publicly acknowledge the issues.

A 3CX spokesperson did not respond to a request for comment when contacted by BleepingComputer earlier today.