FortiGuard Labs is aware that a digitally signed 3CX desktop app was reportedly used in a supply chain attack against 3CX Voice over Internet Protocol (VoIP) customers. A previously unknown infostealer was deployed to the victims at the end of the infection chain. At this time, Windows and MacOS versions were reportedly trojanized.The 3CX desktop app is a popular software phone client that enables users to make calls, have live chats, hold video conference calls, and is available for Windows, MacOS, Linux, Android and iOS. 3CX claims to more than 600,000 companies use their service and have more than 12 million userbase.Why is this Significant?This is significant because 3CX, a very popular software phone client that the company claims to serve more than 600,000 companies, was reportedly trojanized to deliver an unknown infostealer to victims through a supply chain attack.How Widespread is the Attack?Currently there is no indication available as to how widespread the attack is. FortiGuard Labs is closely monitoring the situation and will update this Threat Signal when new information becomes available.Who is Behind this Attack?Unconfirmed reports suggest LAZARUS group may be the perpetrator of this attack.Who is LAZARUS?LAZARUS, also known as APT38/HIDDEN COBRA has been linked to multiple high-profile, financially-motivated attacks in various parts of the world – some of which have caused massive infrastructure disruptions. Notable attacks include the 2014 attack on a major entertainment company and a 2016 Bangladeshi financial institution heist that almost netted nearly $1 Billion (USD) for the attackers. Had it not been for a misspelling in an instruction that caused a bank to flag and block thirty transactions, LAZARUS would have pulled off a heist unlike any other. Although LAZARUS failed in their attempt, they were still able to net around 81 million dollars in total.What Malware is Delivered to the Victims of this Supply Chain Attack?A previously unknown infostealer that collects system information and steals information from popular Web browsers was reportedly deployed to the victims.Has the Vendor Released an Advisory?3CX released an advisory on March 30th, 2023. See the Appendix for a link to “3CX DesktopApp Security Alert”.What is the Status of Protection?FortiGuard Labs currently has the following AV signatures in place for some of the known and available files involved in this attack:W64/Agent.CFM!trOSX/Agent.CN!trCurrently available network IOCs are blocked by Webfiltering.FortiGuard Labs is investigating for additional coverage. This Threat Signal will be updated when new protection information becomes available. Latest detials of all protections can be found in the FortiGuard 3CX Supply Chain Attack Outbreak Alert.

Read More