Several cybersecurity companies have issued warnings after the official Windows desktop app of the popular 3CX softphone solution was found to have been trojanized by suspected state-sponsored threat actors. 3CX is Voice over Internet Protocol (VoIP) software used for video conferencing and live chat, which is offered in Windows, macOS, Linux, Android, and iOS versions. The company has over 600,000 enterprise customers including high-profile organizations. 3CX CISO, Pierre Jourdan, advised users to uninstall the app for the time being and use the progressive web app (PWA) version until a clean version is released. However, researchers from Trend Micro and Crowdstrike found that the macOS versions of the app had also been trojanized.
Customers have been advised to uninstall the affected apps until 3CX finishes its investigation. The company has not disclosed when the legitimate apps were replaced with the trojanized ones, but 3CX customers have reported receiving threat alerts from SentinelOne as early as March 22. The trojanized apps contacted various command-and-control servers and downloaded malware capable of stealing system information, data, and stored login credentials from user profiles on Chrome, Edge, Brave, and Firefox browsers. In some cases, hands-on-keyboard activity followed.
Crowdstrike researchers have suggested that North Korean state-sponsored hackers may be behind the attack, citing similarities with a campaign attributed to a DPRK-nexus threat actor called Labyrinth Chollima. 3CX has yet to reveal how its delivery infrastructure was compromised.
On March 30, 2023, researcher Patrick Wardle confirmed that the 3CX app for macOS had also been trojanized by the attackers. Despite this, 3CX has been downplaying the intrusion for over a week. Customers who may have been affected are advised to use the PWA version of the app until a clean version is available.