Malware Discovered in 3CX DesktopApp

Security researchers have discovered a trojanised version of the 3CX DesktopApp. The 3CX DesktopApp is a private automatic branch exchange (PABX) software that provides several communication functions for its users, including video conferencing, live chat, and call management.

The trojanised version is reportedly capable of harvesting system information and stealing data and stored credentials from Chrome, Edge, Brave, and Firefox user profiles.

The following versions of the 3CX DesktopApp are affected:

• Electron Windows App version numbers 18.12.407 and 18.12.416

• Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 and 18.12.416

Users and administrators of affected versions are advised to uninstall the software and perform a full antivirus scan of their systems.

For updates on the situation and workarounds, refer to the official 3CX post here.

A list of known Indicators of Compromise (IOCs) related to this malware has been published by Sophos and can be found here.

Network administrators are advised to scan their networks for the presence of these IOCs and configure their firewall rules to block connections to domains associated with this malware.

If your organisation has been affected by this incident, please consider reporting it to SingCERT at https://www.csa.gov.sg/singcert/reporting.

More information is available here:
https://www.3cx.com/blog/news/desktopapp-security-alert/
https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/
https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/