VoIP software 3CX distributes malicious code after sideloading attack
by Tina Siering
North Korean cybercriminals have apparently manipulated the VoIP desktop client of the software manufacturer 3CX and used it for DLL sideloading attacks. More than 600,000 companies with over 12 million users use the tool daily.
The program contacted a number of domains, through which malicious code (mostly remote shells) was reloaded into the telephony software. These initially looked like legitimate addresses from CDN and Microsoft (e.g.akamaicontainer.com or azureonlinecloud.com).
The gateway for the attack is a DLL sideloading attack in which two DLL files (d3dcompiler_47.dll and ffmpeg.dll) were reloaded that have Trojan functions. Particularly insidious is the fact that the "Trojan DLL" contains all permissible 3CX functions that would also be expected in the legitimate DLL. As a result, the software works stably.
However, the malicious command & control server communication was noticed by several security companies last week. In the meantime, the manufacturer has reacted and announced first details: Affected are the Windows versions of 3CX desktop apps 18.12.407 and 18.12.416 and the latest Mac app versions: 18.11.1213, 18.12.402, 18.12.407 and 18.12.416 - all versions are already out of circulation.
Administrators of 3CX Phone Systems are asked to check installed versions and keep up to date on the 3CX forum. As an immediate measure, CEO Nicka Galea advises that it is essential to uninstall the affected apps. Another measure recommended was to use the provider's fully web-based PWA app until the update is released.
The findings so far suggest that the attacker group "Labyrinth Chollima", also known as "Lazarus Group" from North Korea, is behind the attacks.
Customers with an active Managed Service contract for Active Cyber Defense are of course informed separately about malicious communications on their systems. Since yesterday, we have been actively checking them for the malicious code.
Need help upgrading your IT security for 2023? Contact us!
Related articles
For several days now, there has been a strong accumulation of successful compromises by the "QakBot" malware (also known as "QBot" and "QuackBot") worldwide. We have also already identified successful attacks as part of our ACD monitoring. After infection, criminals can gain access to online banking accounts, leak user data, and reload further malware. As one measure to mitigate the risk, we urgently recommend adjustments to the Group Policy Objects (GPO).
Cybercriminals are true masters at constantly adapting their attack mechanisms to effective IT security measures. New tools and iterative changes to existing malware are used to mercilessly exploit security vulnerabilities. Among the numerous threats, ransomware stands out as one of the biggest. More and more companies have to face extortion Trojans. A completely new threat called LockFile now relies on intermittent encryption. LockFile not only encrypts much faster than previous ransomware, but also bypasses security solutions that work reliably. This article shows why criminals are increasingly relying on intermittent encryption and how companies should react to the new threat.
Read more … New ransomware trend: Why criminals increasingly rely on intermittent encryption
Due to the war in Ukraine, secion provides an assessment of the threat situation for companies and examines the question of whether increased Russian attacks on companies in Germany, Austria and Switzerland can be identified. There is currently no evidence of an acute increase in the threat posed by Russian state actors in Western Europe, but there is increased public awareness of these cyberattacks. In addition, "third-party actors" are creating a new dynamic.