On Wednesday, 29 March 2023, details of unexpected malicious activity observed from the legitimate and cryptographically signed 3CX SoftPhone Desktop App application were shared in a blog post by security researchers at Crowdstrike.
On Thursday, March 30, 2023, the vendor 3CX posted a security advisory confirming a complex supply chain attack from an Advanced Persistent Threat (APT) targeting some users of the 3CX Desktop App with infostealer malware. The infostealer malware has been seen to gather system and browser information from infected systems, including browser history. According to 3CX, it appears that the APT would choose specific targets to download the next stages of their malware and the majority of infected systems had their files remain dormant.
3CX has confirmed that the following Electron versions of the Windows & Mac desktop app are affected. Based on the known affected versions coming out in January 2023, we believe that this supply chain attack goes back to January.
| Windows | macOS |
| 18.12.407 | 18.11.1213 |
| 18.12.416 | 18.12.402 |
| 18.12.407 | |
| 18.12.416 |
Recommendations
Recommendation #1: Remove 3CX Desktop App From Workstations
3CX recommends uninstalling 3CX Desktop App while they work on creating new versions that are not infected. The vendor also recommends using the web app version of 3CX for the time being.
The following versions of 3CX SoftPhone applications should be removed:
| Windows | macOS |
| 18.12.407 | 18.11.1213 |
| 18.12.416 | 18.12.402 |
| 18.12.407 | |
| 18.12.416 |
References:
