Sophos X-Ops is tracking an attack against the 3CX Desktop application, possibly undertaken by a nation-state-related group.
The affected software is 3CX – a legitimate software-based PBX phone system available on Windows, Linux, Android, and iOS. The application has been abused by the threat actor to add an installer that communicates with various command-and-control (C2) servers.
A list of IOCs for this attack is published on our GitHub.
Sophos protection
Sophos has taken the following actions to protect customers from this attack:
- Blocked the malicious domains
- Published the following detections:Static detections:
- Troj/Loader-AF (Trojanized ffmpeg.dll)
- Troj/Mdrop-JTQ (installers)
- OSX/Mdrop-JTR (installers)
- OSX/Loader-AG (Trojanized ffmpeg.dll)
Reputation detection:
- Mal/Generic-R / Mal/Generic-S (d3dcompiler with appended shellcode)
Memory detection:
- Mem/Loader-AH
- Blocked the list of known C2 domains associated with the threat, and will continue to add to that list
- Flagged the two malicious versions of the ffmpeg.dll bundled in the affected 3CXapplication as being of low reputation
- For Sophos MDR customers, the MDR Detection Engineering team has a variety of behavioral detections in place that will detect follow up activity
Determining impact with Sophos XDR
Sophos XDR enables organizations to determine whether hosts have communicated with threat actor infrastructure. We have created a custom query that is available here.
More information
For further insights into the attack, read the article from Sophos X-Ops here.
We also recommend that users of 3CX’s software monitor the company’s blog and support forum.