Supply Chain Attack against 3CXDesktopApp

Affected versions of the 3CX software have been turned into trojans.

This includes beaconing to command-and-control (C2) servers, deploying additional payloads such as information stealing malware, and in some cases hands-on-keyboard activity.

There is a 7-day delay before reaching out to external C2 servers. More information about this can be found on the huntress link in the ‘more information’ section below. 

The information stealing malware accesses system information such as hostname, domain name, OS information and browser history information from Brave, Chrome, Edge and Firefox browsers.

More information about the information stealing malware can be found on the Volexity link in the ‘more information’ section below.

Versions of the 3CX Desktop App affected on Windows include:

• 18.12.407, and
• 18.12.416.

Versions of the 3CX Desktop App affected on Mac include:

• 18.11.1213,
• 18.12.402,
• 18.12.407, and
• 18.12.416.

If you have used one of the affected software versions, we encourage you to uninstall the affected application, check for published IOCs and malicious activity.

IOC’s can be found on the CrowdStrike and Sentinel One links in the ‘more information’ section below.

3CX is encouraging affected users to uninstall the app and use the Progressive Web App (PWA) Client as an alternative..