SentinelOne has dubbed the attack “Smooth Operator,” while CrowdStrike suspects the involvement of a North Korean government-state actor known as LABYRINTH CHOLLIMA.
CrowdStrike and SentinelOne cybersecurity researchers identified an unusual spike in malicious activity from a single, legitimate binary, 3CX Voice Over Internet Protocol (VOIP) desktop App (3CX Desktop App).
Campaign Details
On March 29, 2023, CrowdStrike researchers observed malicious activity, including beaconing to attacker-operated infrastructure, deploying second-stage payloads, and, in some cases, hands-on keyboard activity.
Since the app is available for Windows, macOS, and Linux, the activity was observed on Mac and Windows systems. Mobile versions are also available for Android and iOS devices. For browsers, the app is available as an extension for Chrome, and a browser-based version is available for the Progressive Web app.
Researchers suspect the involvement of a North Korean government-state actor, LABYRINTH CHOLLIMA. CrowdStrike Intelligence sent an alert to its customers yesterday morning. On the other hand, SentinelOne started seeing an uptick in 3CX Desktop App behaviour on March 22, 2023.
It is worth mentioning that SentinelOne has dubbed the attack “Smooth Operator.” The company urges customers to ensure that prevention policies are appropriately configured and that Suspicious Processes are activated to stay protected.
Multi-Stage Attack Scenario
In this multi-stage attack, the malicious 3CX Desktop App installer serves as a shellcode loader that executes the shellcode from heap space and loads a DLL after removing the “MZ” at the start.
This DLL is later called through the DllGetClassObject export. At this stage, icon files are downloaded from a specific GitHub repository: (github.com/IconStorages/images).
These ICO files append Base64 data at the end, which is then decoded and used to download the final stage. In this stage, info-stealer functionality is implemented, which includes collecting system and browser data. It can collect data from Chrome, Brave, Edge, and Firefox browsers, and the collected data includes browsing history from Chrome and Places tab data from Firefox.
What is 3CXDesktopApp
For your information, 3CX Desktop App is a widely-used voice and video conferencing and call routing software characterized as a Private Automatic Branch Exchange (PABX) platform.
The platform is used by 600,000 companies globally and has more than 12 million active users. Companies in the automobile, manufacturing, hospitality, food & beverage, and MSP (managed information technology provider) sectors commonly use it.
It is worth noting that PBX software is an attractive target for launching supply-chain attacks, as these allow attackers to monitor organizations’ communications and alter call routing and broker connections into external voice services.
UPDATE:
In a subsequent update, 3CX stated that the problem seemed to stem from a bundled library that was compiled into the Windows Electron app via git, and the company is currently conducting further investigations into the matter.
