3CX Active Intrusion Campaign - 20230330001

Overview

Multiple sources observing malicious activity from a legtimate application 3CXDesktopApp, which used as softphone application from 3CX.

Crowdstrike has released:

• Guidance for hunting indicator of potential compromise

What is vulnerable?

The 3CX Softphone Application and an observed signed malicious installer.

What has been observed?

The 3CX Softphone installer application has been modified to distibute a malicious payload. The installed application has been observed:

• beaconing to actor controlled infrastructure
• secondary payload distribution
• hands on keyboard activity

Resources

• ACSC | Supply chain compromise of 3CX DesktopApp
• Hackers compromise 3CX desktop app in a supply chain attack - BleepingComputer
• YARA Signature from Neo23x0
• Sigma YAML from SigmaHQ

Recommendation

• Locate the presence of 3CXDesktopApp software in your environment by using the queries outlined above.

• Ensure relevant EDR solution is deployed to applicable systems.

• Ensure “Suspicious Processes” is enabled in applicable Prevention Policies.

• YARA Signature from Neo23x0

• Sigma YAML from SigmaHQ

• Hunt for historical presence of atomic indicators in third-party tooling (if available).