VoIP software 3CX distributes malicious code after sideloading attack


Reading time: minutes ( words)
Softphone client 3CXDesktopApp compromised

North Korean cybercriminals have apparently manipulated the VoIP desktop client of the software manufacturer 3CX and used it for DLL sideloading attacks. More than 600,000 companies with over 12 million users use the tool daily.

The program contacted a number of domains, through which malicious code (mostly remote shells) was reloaded into the telephony software. These initially looked like legitimate addresses from CDN and Microsoft (e.g.akamaicontainer.com or azureonlinecloud.com).

The gateway for the attack is a DLL sideloading attack in which two DLL files (d3dcompiler_47.dll and ffmpeg.dll) were reloaded that have Trojan functions. Particularly insidious is the fact that the "Trojan DLL" contains all permissible 3CX functions that would also be expected in the legitimate DLL. As a result, the software works stably.

However, the malicious command & control server communication was noticed by several security companies last week. In the meantime, the manufacturer has reacted and announced first details: Affected are the Windows versions of 3CX desktop apps 18.12.407 and 18.12.416 and the latest Mac app versions: 18.11.1213, 18.12.402, 18.12.407 and 18.12.416 - all versions are already out of circulation.

Administrators of 3CX Phone Systems are asked to check installed versions and keep up to date on the 3CX forum. As an immediate measure, CEO Nicka Galea advises that it is essential to uninstall the affected apps. Another measure recommended was to use the provider's fully web-based PWA app until the update is released.

The findings so far suggest that the attacker group "Labyrinth Chollima", also known as "Lazarus Group" from North Korea, is behind the attacks.

Customers with an active Managed Service contract for Active Cyber Defense are of course informed separately about malicious communications on their systems. Since yesterday, we have been actively checking them for the malicious code.

Need help upgrading your IT security for 2023? Contact us!

By clicking on the "Submit" button, you confirm that you have read our privacy policy. You give your consent to the use of your personal data for the purpose of contacting you by Allgeier secion, Zweigniederlassung der Allgeier CyRis GmbH.

* Mandatory field

Go back