Additional information about the compromised 3CX desktop app

Sicherheit (Pexels, allgemeine Nutzung)[German]The 3CX Desktop app from phone system provider 3CX was infected with malware via supply chain attack. As a follow-up, I have some additional information. For example, the incident has now been confirmed by 3CX and both Cyble and Kasperky have provided analysis. According to Kaspersky, the North Korean hacker group Lazarus seems to be connected to the attack. The attack was also made possible because a vulnerability in Windows, known for 10 years, was declared by Microsoft to be only "opt-in" to close – hardly anyone knows about this possibility. And not all virus scanners recognize the threat.


What is the issue?

As of March 30, 2023, in the blog post 3CX desktop app (probably) infected in a supply chain attack (March 29, 2023), I had issued a warning to blog readers using phone system software from vendor 3CX. At that time, it was suspected that their 3CX Desktop App may have been compromised.

In the meantime, in addition to the Sentinel analysis mentioned in the blog post above, there is another analysis from Cyble entitled A Comprehensive Analysis of the 3CX Attack.

3CX is an international developer of VoIP IPBX software. The 3CX phone system, an open standards software-based phone system, was originally only usable on Windows, but since 2016 it can also be used on Linux and cloud platforms. 3CX Desktop App is an application that can be used to make calls directly on the desktop using a headset. 3CXDesktopApp is available for Windows, macOS, Linux and mobile devices.

The infection is confirmed

German blog reader Henry Barson had pointed out in this comment that 3CX CEO, Nick Galea, confirmed this March 30, 2023 incident in the 3cx community in this post:

It is true. For the record we contacted SentinelOne for more information but never received it. We are issueing a new build as we speak we apologize for the inconvenience.

In addition, blog reader Righter points out in this comment the official confirmation 3CX DesktopApp Security Alert dated March 30, 2023 on the 3CX blog. There it states that:

the Electron Windows App version numbers 18.12.407 and 18.12.416 shipped with Update 7 contains a security vulnerability. Electron Mac app version numbers 18.11.1213, which shipped with Update 6, and 18.12.402, 18.12.407 & 18.12.416 in Update 7 are also affected.

The blog post still contains the information that the target domain of the malicious functions has been disabled (not very helpful if the app and thus the system is compromised), and that antivirus solutions would have detected the 3CXDesktopApp.exe and quarantined it (this is also not always true, see below about Trend Micro).


In this comment, German security expert Stefan Kanthak points to a 2013 communication with 3CX, and links to the post VULNERABLE and COMPLETELY outdated 3rd-party libraries/components used in 3CX Phone System 11. They didn't really have their supply chain under control even since 10 years.

3CX attack over 10 year old Windows bug

In the supply chain attack, two DLLs used by Windows desktop applications were replaced with malicious malware-enhanced versions.One of the replaced DLLs is d3dcompiler_47.dll from the DirectX package. In the compromised variant, the DLL contains an encrypted malicious payload. One of these payloads acts as a Trojan that steals information from user systems.

At this point, an observer may ask the question "why a legitimate DLL from Windows can be replaced so easily"? These are usually digitally signed by Microsoft. If an attacker modifies such a file, the digital signature breaks and Windows should refuse to load it.

The supply chain attack by replacing the signed DLLs was possible because there has been a Windows bug for ten years that the attackers were able to exploit. Therefore, Windows still considers this manipulated DLL file as validly signed. The colleagues from Bleeping Computer point out in this article that the bug could actually have been closed long ago.

Will Dormann pointed out that the exploited vulnerability CVE-2013-3900 "WinVerifyTrust Signature Validation Vulnerability" was first made public by Microsoft on December 10, 2013. Microsoft stated at that time that adding content to the Authenticode signature section of an EXE (WIN_CERTIFICATE structure) in a signed executable is possible without invalidating the digital signature.

Microsoft had decided at the time to make a provided fix optional. Bleeping Computer suspects because otherwise legitimate signed executables would become invalid because they store data in the signature block of an executable. That is, the change can be enabled based on an opt-in. This requires manual intervention in the registry, where entries must be set. Microsoft has published the required commands as a .reg file in the article on CVE-2013-3900.

Windows Registry Editor Version 5.00  

The relevant support article, which was last updated on January 21, 2022, states that this registry fix must be set manually, but then it applies to Windows 10 and Windows 11. The "fat dog of the week" is still to come, however. On Twitter, someone points out on January 5, 2023 that Windows 11 removes the possibly manually set protection for CVE-2013-3900.

Windows 11 removes CVE-2013-3900 Mitigation

Those who need this protection have to set the registry entries manually again. Bleeping Computer has put together some more details on the subject in this article. So once again "Microsoft means perfect chaos" – there is nothing more to say about it.

Notes: The compromised d3dcompiler_47.dll from the DirectX package with the encrypted malicious payload does nothing. The attacker ships a 2nd compromised library ffmpeg.dll, that has a call to the encrypted malicious payload.

German security expert Stefan Kanthak left this comment, pointing out, that the construction outlined above isn't relevant. He pointed out, that

1) these DLLs are also shipped with application software from Mozilla, Google, Microsoft, ..) and installed into the private directories of the respective programs.
2) the clueless developers (not only at 3CX) still build their junk without /DEPENDENTLOADFLAG:2048da (see Executable Installers Considered Harmful or
How can I try to escape the disease-ridden hot-tubs known as the TEMP and Downloads directories?) and neither call SetDefaultDllDirectories() (see SetDefaultDllDirectories-Funktion (libloaderapi.h)) nor LoadLibraryEx() (see LoadLibraryExA function (libloaderapi.h)) with the LOAD_LIBRARY_SEARCH_SYSTEM32 flag their programs also load Windows system DLLs from their installation directory;
3) ince typical Windows developers also don't use LOAD_LIBRARY_REQUIRE_SIGNED_TARGET (see LoadLibraryExA function (libloaderapi.h)) in all places mentioned in 2), their junk loads DLLs without digital signature checking, i.e. it doesn't matter whether the registry entry required for CVE-2013-3900 is set or not.

Backdoor through 3CX software

Security researchers from Kaspersky have taken a closer look at the compromised 3CX desktop app and published their analysis including new findings in the article Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attac. Initially, there was talk of a Trojan, but Kaspersky's security researchers discovered that the infected application can also install a backdoor (Gopuram) on systems.

The colleagues from Bleeping Computer report here that the Gopuram backdoor used by the North Korean hacker group Lazarus for attacks on cryptocurrency companies since at least 2020 was also infiltrated into the systems of a limited number of affected 3CX customers as a second stage payload in the 3CX incident.

According to Bleeping Computer, Gopuram is a modular backdoor that can be used by its operators to manipulate the Windows registry and services and perform file timestomping to evade detection. The backdoor can be used to inject payloads into already running processes, load unsigned Windows drivers using the open-source kernel driver utility, and perform partial user management via the net command on infected devices.

According to Kaspersky, fewer than ten systems were infected, suggesting that those behind the supply chain attack were looking to specifically compromise certain companies for financial gain (e.g., stealing crypto-money).

Trend Micro didn't detect the 3CX flaw

German blog reader Sascha M. contacted me via email on April 5, 2023, because he wanted to alert me to the issue of TrendMicro Worry Free Business Security's detection of the 3CX malware. He wrote about it:

Hello Günter,

first of all the most important thing: thank you very much for your block! Absolutely top class and we read again and again with pleasure with you.

Maybe I have a topic that could be interesting for you and your block:

At many of our customers we have 3cx and TrendMicro Worry Free Business Security (WFBS on Prem) or Worry Free Business Security Services as part of the XDR (WFBSS) in use.

After the big issue around 3cx, it is of course important that our own and of course the customer's AV software responds to such risks.

According to the blog post TrendMicro has been aware of the issue since 3/30/2023. But until today neither the XDR nor the onPrem solutions react to the compromised files.

Considering the fact that everyone who uses or has used 3cx is required to scan all systems, TrendMicro customers may be lulled into a false sense of security here.

I have already informed TrendMicro about the situation on 03/31/2023, and yesterday the support took care of the issue. So far, however, only inquiries about license numbers, the files and LOG entries (which are empty).

I have attached a video for you, which was also sent to TM. In the video we still have the pattern 18.359.00, but currently the 18.361.00 is also here: Detection rate 0.

Keine Ahnung was TrendMicro da macht, für mich persönlich ein absolutes NoGo.

No idea what TrendMicro is doing there, for me personally an absolute NoGo.

At least TrendMicro E-Mail Security reacts to the files (doesn't help, but someone seems to have done his job).

Addendum: While writing the mail, a mail came from TrendMicro, saying that it can't be TrendMicro's fault and that the patterns should react.

Here is a screenshot from a customer I just had contact with.

3cx is running in the compromised version on the system, with TrendMicro doing nothing next to it.

Trend Micro and 3CX
Trend Micro and 3CX dectection, click to zoom

The screenshot above shows the analysis by TM, the screenshot below shows the compromised DLLs. So the virus protection failes, so the customers feels secure.

Infected 3CX dlls

I don't know if anything has changed now. Some users reported, that Trend Micro AV scanners flag 3CX as malicious. If someone has Trend Micro and 3CX in use, he should have a closer look if there is really no infection. Thanks to Sascha for the hint. I have not uploaded the video mentioned above here in my blog.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *