SmoothOperator - Ongoing campaign trojanises 3CXDesktopApp in supply chain attack
April 2023 by SentinelLabs
3CXDesktopApp is a voice and video conferencing software developed by 3CX, a business communications software company. The company website states that 3CX has 600,000 customer companies with 12 million daily users. 3CX lists customer organisations in the automotive, food & beverage, hospitality Managed Information Technology Service Provider (MSP) and manufacturing sectors.
As of 22nd March 2023, SentinelOne began to see a spike in suspicious behavioural detections of the 3CXDesktopApp, a popular voice and video conferencing software product categorised as a Private Automatic Branch Exchange (PABX) platform.
The 3CX PBX client is available for Windows, macOS, and Linux; there are also mobile versions for Android and iOS, as well as a Chrome extension and a Progressive Web App (PWA) browser-based version of the client.
PBX software makes an attractive supply chain target for actors; in addition to monitoring an organisation’s communications, actors can modify call routing or broker connections into voice services from the outside. There have been other instances where actors use PBX and VOIP software to deploy additional payloads, including a 2020 campaign against Digium VOIP phones using a vulnerable PBX library, FreePBX.
Key points
• SentinelOne’s behavioural detections prevented these trojanised installers from running, and led to immediate default quarantine.
• The trojanised 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from Github and ultimately leads to a 3rd stage infostealer DLL still being analysed as of the time of writing.
• The compromise includes a code signing certificate used to sign the trojanised binaries.
• SentinelLabs’ investigation into the threat actor behind this supply chain is ongoing. The threat actor has registered a sprawling set of infrastructure starting as early as February 2022, but SentinelLabs hasn’t yet seen obvious connections to existing threat clusters.
• 30th March 2023: SentinelOne updated its Indicators of Compromise (IOC) with contributions from the research community.
• 30th March 2023: SentinelLabs confirmed that the MacOS installer is trojanised, as reported by Patrick Wardle. The team has identified the limited deployment of a second-stage payload for Mac infections.
• SentinelLabs has updated its IOCs to reflect MacOS components. SentinelOne’s telemetry now sets the earliest infection attempt as 8th March 2023.
Conclusion
As others have noted, SentinelOne began automatically detecting and blocking the activity over the span of the week prior to its active investigation of the campaign. No action is needed for SentinelOne customers, but SentinelLabs has provided technical indicators in its full report to benefit all potential victims in hunting for the SmoothOperator campaign.