3CXDesktopApp compromised in supply chain attack

31.03.23

Threat Intelligence Alerts

We understand from a Crowdstrike report that on March 29, 2023, malicious activity was observed emanating from a legitimate, signed binary, 3CXDesktopApp — a softphone application from 3CX. The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on keyboard activity.

The 3CXDesktopApp is available for Windows, macOS, Linux, and mobile.

It is reported that potentially 6000,000 clients are using this product. 

3CX has confirmed that their Electron Windows App shipped in Update 7, version numbers 18.12.407 & 18.12.416, includes a security issue. Anti-Virus vendors have flagged the executable 3CXDesktopApp.exe and, in many cases, uninstalled it. Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 & 18.12.416 are also affected.

The issue appears to be one of the bundled libraries compiled into the Windows Electron App via GIT. C3X is researching the matter to be able to provide a more in-depth response later today.

3CX report they are working on a new Windows App that does not have the issue but strongly suggests that clients use their PWA app instead. More information is available on their discussion forum.

This post will be updated as more information becomes available.