top of page

Softphone C3X Supply Chain Attack

Apr 5, 2023

VOIP attacks hit primarily in North America

Hackers compromise 3CX desktop app in a supply chain attack

Active Intrusion Campaign Targeting 3CX DesktopApp - NHS Digital

A digitally signed and Trojanized version of the 3CX Voice Over Internet Protocol (VOIP) desktop client is reportedly being used to target the company’s customers in an ongoing supply chain attack.

This is Katy Craig in San Diego, California.

Reports suggest that customers of 3CX, a popular VOIP desktop client, have been targeted in an ongoing attack. The attack, which has been dubbed 'SmoothOperator' by SentinelOne, starts when unsuspecting users download an installer from the 3CX website or receive an update for an already installed application. This is where things get tricky.

The installer or update actually loads malicious files that are used to execute the next stage of the attack. This includes deploying second-stage payloads, beaconing to actor-controlled infrastructure, and in some cases, banging hands-on-keyboard. According to the experts, the most common post-exploitation activity observed so far is the spawning of an interactive command shell. While some have noted that the 3CX desktop executable is not itself malicious, the Download Link Libraries (or DLLs) that are sideloaded are, and they’re used to contact any of over 20 bad guy controlled websites. 

SentinelOne says the malware uses Base64 strings to download a final payload to the compromised devices. This new malware is capable of harvesting system info and stealing data and stored credentials from Chrome, Edge, Brave, and Firefox user profiles. No word yet on Safari or Mac users.

3CX confirms the exploit and advises users to uninstall (if your malware scanner hasn’t done so already) and attempt to reinstall the newly patched application. Fingers crossed.

This is Katy Craig. Stay safe out there.

bottom of page