On March 29, 2023, Jamf Threat Labs along with various other vendors observed a targeted attack dubbed Smoothoperator against 3CX Desktop App, a softphone application by 3CX and used by millions of users around the world. Nation-state threat actors targeted 3CX in a supply-chain attack that compromised several builds of their application.
On macOS, these builds contained a malicious dylib named libffmpeg. dylib which is dynamically loaded at runtime, performing a number of operations on the victims’ systems. Jamf Threat Labs took immediate action against this threat, blocking the execution of the compromised applications (and connections to known-bad domains associated with the attack) to safeguard our customers.
The 3CX supply-chain attack is a serious threat to macOS security due to how widespread the attack is and its level of sophistication. Given the nature of this supply chain attack, the infected builds were deployed through typical update procedures and leveraged the trust already established by the original, approved application. At the time of our initial analysis, the compromised 3CX Desktop App was signed by 3CX and notarized by Apple with the teamid 33CF4654HL. This allows its execution on the operating system. Apple has since revoked the notarized code.
The malicious dylib libffmpeg.dylib contains various anti-analysis techniques including XORed strings to make static analysis difficult. Some of those XORed strings shown in the indicators of compromise (IoC) section are used to create various files at the path ~/Library/Application Support/3CX Desktop App/. The XORed strings include domain names that are embedded in the malicious dylib as well.
The malware gathers information from the victim's host including OS version and computer name which then gets written to an encrypted file titled .main_storage. Eventually, it connects to the attacker's control and command (C2) systems to request a second-stage payload — named UpdateAgent — located in the same application support directory. For an in-depth technical analysis of the Smoothoperator malware, reference Patrick Wardle's blog.
Jamf protects against known compromised versions of the 3CX application as well as the second-stage component of the attacker malware. Customers can monitor their environment for threat prevention rules detected as C3x, Smoothoperator, or smoothoperator_a.
We’ll update this blog post as we find more details on this emerging threat.
Emergent threats are nothing new to Jamf Threat Labs.
This means Jamf Protect customers can rest assured they're endpoints are secured against novel threats and attacks.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.