3CX said it’s working on a software update for its desktop app after multiple cybersecurity vendors sounded the alarm on what appears to be an active supply chain attack that’s using digitally signed and rigged installers of the popular voice and video conferencing software to target downstream customers.
“The trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls ICO files appended with Base64 data from GitHub and ultimately leads to a third-stage infostealer DLL,” SentinelOne researchers said.
The cybersecurity firm is tracking the activity under the name SmoothOperator, stating the threat actor registered a massive attack infrastructure as far back as February 2022.
3CX, the company behind 3CXDesktopApp, claims to have more than 600,000 customers and 12 million users in 190 countries, some of which include well-known names like American Express, BMW, Honda, Ikea, Pepsi, and Toyota, among others.
While the 3CX PBX client is available for multiple platforms, Sophos, citing telemetry data, pointed out that the attacks observed so far are confined to the Windows Electron client of the PBX phone system.
Cybersecurity firm CrowdStrike said it suspects the attack to be linked to a North Korean nation-state actor it tracks as Labyrinth Chollima, a sub-cluster within the notorious Lazarus Group.
