3CX Supply Chain Attack Advisory
CrowdStrike has recently reported an active supply chain attack targeting 3CX customers. Malicious activity was observed in the 3CXDesktopApp which involved contacting command & control infrastructure and payload deployment. This application is used as a voice and video conferencing platform.
It is suspected that LABYRINTH CHOLLIMA is behind the attacks, a nation state-actor operating on behalf of North Korea, which affects both the Windows and macOS versions of the software. Patrick Wardle of Objective-See, confirmed that the macOS version was trojanized.
As this is an ongoing attack, details are scarce. We will provide updates as the investigation unfolds. At the moment, it is recommended to remove instances of the 3CXDesktopApp software from your environment.
Indicators of compromise for macOS:
- ~/Library/Application Support/3CX Desktop App/UpdateAgent
- ~/Library/Application Support/3CX Desktop App/.main_storage
- ~/Library/Application Support/3CX Desktop App/.session-lock
Use Addigy’s newly published Community Fact to help you identify devices that may have Indicators of Compromise.