3CX Supply-chain attack

Security, Jamf Threat Labs

Newly discovered supply-chain attack affecting 3CX softphone app used by millions of users globally. In this blog, the Jamf Threat Labs discusses how the app was compromised, what it does and how to go about detecting it on your network.

On March 29, 2023, Jamf Threat Labs along with various other vendors observed a targeted attack dubbed Smoothoperator against 3CX Desktop App, a softphone application by 3CX and used by millions of users around the world. Nation-state threat actors targeted 3CX in a supply-chain attack that compromised several builds of their application.

On macOS, these builds contained a malicious dylib named libffmpeg. dylib which is dynamically loaded at runtime, performing a number of operations on the victims’ systems. Jamf Threat Labs took immediate action against this threat, blocking the execution of the compromised applications (and connections to known-bad domains associated with the attack) to safeguard our customers.

The 3CX supply-chain attack is a serious threat to macOS security due to how widespread the attack is and its level of sophistication. Given the nature of this supply chain attack, the infected builds were deployed through typical update procedures and leveraged the trust already established by the original, approved application. At the time of our initial analysis, the compromised 3CX Desktop App was signed by 3CX and notarized by Apple with the teamid 33CF4654HL. This allows its execution on the operating system. Apple has since revoked the notarized code.

The malicious dylib libffmpeg.dylib contains various anti-analysis techniques including XORed strings to make static analysis difficult. Some of those XORed strings shown in the indicators of compromise (IoC) section are used to create various files at the path ~/Library/Application Support/3CX Desktop App/. The XORed strings include domain names that are embedded in the malicious dylib as well.

The malware gathers information from the victim's host including OS version and computer name which then gets written to an encrypted file titled .main_storage. Eventually, it connects to the attacker's control and command (C2) systems to request a second-stage payload — named UpdateAgent — located in the same application support directory. For an in-depth technical analysis of the Smoothoperator malware, reference Patrick Wardle's blog.

Jamf protects against known compromised versions of the 3CX application as well as the second-stage component of the attacker malware. Customers can monitor their environment for threat prevention rules detected as C3x, Smoothoperator, or smoothoperator_a.

We’ll update this blog post as we find more details on this emerging threat.

Indicators of Compromise - Known File Paths ~/Library/Application Support/3CX Desktop App/UpdateAgent ~/Library/Application Support/3CX Desktop App/.main_storage ~/Library/Application Support/3CX Desktop App/.session-lock ~/Library/Application Support/3CX Desktop App/config.json

For those wanting to completely block all versions of this application from their environment can use Jamf Protect threat prevention to block the developer ID: TEAMID: 33CF4654HL Known macOS Compromised Versions of 3CX f3487a1324f4c11b35504751a5527bc60eb95382 e8d14c5b3bb4290fb028504efac8cfee0bfd15b5 2abc98e004dc5ebb426a3611d7b4a1c2d1c939bd 5d833bcc679db38a45111269e727ec58b75c8d31 7e75f141ef1a623f9f52999aabc52419f59d0c00 32aa8af32b51cff9d6014eee9da9987ebb464aae libffmpeg.dylib (First-stage) 769383fc65d1386dd141c960c9970114547da0c2 UpdateAgent (Second-stage) 9e9a5f8d86356796162cee881c843cde9eaedfb3

C2 Domains akamaitechcloudservices[.]com/v2/fileapi azuredeploystore[.]com/cloud/images azureonlinestorage[.]com/google/storage glcloudservice[.]com/v1/status msedgepackageinfo[.]com/ms-webview msstorageboxes[.]com/xbox officeaddons[.]com/quality officestoragebox[.]com/api/biosync pbxcloudeservices[.]com/network pbxphonenetwork[.]com/phone pbxsources[.]com/queue sourceslabs[.]com/status visualstudiofactory[.]com/groupcore www.3cx[.]com/blog/event-trainings/ zacharryblogs[.]com/xmlquery sbmsa[.]wiki/blog/_insert

References: First-stage analysis https://objective-see.org/blog/blog_0x73.html Second-stage analysis https://twitter.com/patrickwardle/status/1641721723417657345?s=46&t=9i_mTDPwmhlMXxmMwdFhoQ https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/

Emergent threats are nothing new to Jamf Threat Labs.

This means Jamf Protect customers can rest assured they're endpoints are secured against novel threats and attacks.

Get Protect

Jamf Threat Labs

Jamf

Jamf Threat Labs is a global team of experienced threat researchers, cybersecurity experts and data scientists with skills that span penetration testing, network monitoring, malware research and app risk assessment. Jamf Threat Labs primarily monitors and explores emerging threats affecting Mac and mobile devices. The team’s research is published with the aim of raising awareness of specific threats while also improving awareness and advocacy of security practices to protect the modern workforce.

Previous Blog Post:
Prev
Top security challenges and how to overcome them: Compliance regulations Blog Homepage
Next Blog Post:
Next
What is advanced threat protection?

Related Resources

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

Email Address (Work)

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.

3CX Supply-chain attack

Emergent threats are nothing new to Jamf Threat Labs.

Security 360: Annual Trends Report

What is threat hunting?

MacStealer malware: A growing threat to macOS users