3CX is reportedly working on a software update for its desktop app after cybersecurity vendors detected a supply chain attack. The attack uses digitally signed installers of the popular voice and video conferencing software to target downstream customers. SentinelOne researchers are tracking the activity under the name SmoothOperator and claim that the threat actor registered a massive attack infrastructure back in February 2022.
The trojanized 3CX desktop app is the first stage in a multi-stage attack chain that ultimately leads to a third-stage infostealer DLL. The company behind 3CXDesktopApp claims to have over 600,000 customers and 12 million users in 190 countries, including well-known names like American Express, BMW, Honda, Ikea, Pepsi, and Toyota.
According to Sophos, the attacks on 3CX PBX client have only targeted the Windows Electron client so far. The attack method uses DLL side-loading to load a rogue DLL and obtain an ICO payload from a GitHub repository, which has since been removed.
3CX CEO Nick Galea announced in a forum post that the company is releasing a new build of its desktop app in response to the supply chain attack. Galea attributed the issue to an infected library, but did not provide further details.
In the meantime, 3CX is recommending that customers uninstall the app and reinstall it or use the PWA client. In a later update, the company stated that the issue seemed to involve a bundled library in the Windows Electron app and that they were investigating further.