A new supply chain attack, possibly by a nation-state threat actor, is targeting the 3CX desktop application.
Mat Gangwe, vice-president: managed threat response, at Sophos, explains that 3CX is a widely used, legitimate business phone system used worldwide.
“The attackers have managed to manipulate the application to add an installer which uses DLL sideloading to ultimately retrieve a malicious, encoded payload,” he says.
The software is a digitally-signed version of the softphone desktop client for Windows and is packaged with a malicious payload, which is most commonly used to spawn an interactive command shell.
So far, the only platform affected appears to the Windows.
In an update, 3CX recommends that users uninstall the desktop app and use the Progressive Web App (PWA) client instead. It is also working on update to the desktop app.
The GitHub page used for staging the attack has been taken down.