Vulnerabilities

Caution When Using 3CX DesktopApp (CVE-2023-29059)

  • Apr 03 2023
Caution When Using 3CX DesktopApp (CVE-2023-29059)

Overview

Details about how supply chains were attacked through the 3CX DesktopApp were published. [1] This software provides users with various communication functions, such as voice calls and video conferences, and can be operated on both Windows and MAC operating systems. Currently, the 3CX company is preparing to issue a new certificate, and until then, they are instructing users to use an alternative software.

Description

Regarding this, the distributed malware are confirmed to include modules that perform malicious functions and are in the form of installation files such as MSI and DMG. 3CXDesktopApp.exe loads the malicious ffmpeg.dll module, and then loads d3dcompiler.dll as well to execute it in the memory. The malware executed in the memory is a downloader malware which is known to ultimately download and execute an Infostealer.

Affected Products

Electron Windows application shipped in Update 7 18.12.407 18.12.416 Electron macOS application 18.11.1213 18.12.402 18.12.407 18.12.416

Solution

[1] Uninstall 3CX DesktopApp

  • Guide for Windows: Windows Key > Type “Control Panel” > Programs and Applications > Right click “3CX Desktop App” > Uninstall

[2] 3CX recommends using the PWA application instead

 

Detection Information 

[File Detection] Dropper/MSI.Agent Trojan/Win.Loader.C5403102 Trojan/Win.Agent.C5403110 Trojan/Win.Loader.C5403103 Infostealer/Win.Agent.C5403954 Trojan/BIN.Agent Data/BIN.Encoded Trojan/OSX.Agent Trojan/OSX.Loader [Behavior Detection] Connection/MDP.Event.M4581 Connection/MDP.Event.M11026 Exploit/MDP.Event.M11027 

[References]

1) Manufacturer’s notice: https://www.3cx.com/blog/news/desktopapp-security-alert/ 2) CVE-2023-29059: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059 3) CWE-506: https://cwe.mitre.org/data/definitions/506.html

SHA2

11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03
210c9882eba94198274ebc787fe8c88311af24932832a7fe1f1ca0261f815c3d
2487b4e3c950d56fb15316245b3c51fbd70717838f6f82f32db2efcc4d9da6de
268d4e399dbbb42ee1cd64d0da72c57214ac987efbb509c46cc57ea6b214beca
2c9957ea04d033d68b769f333a48e228c32bcf26bd98e51310efd48e80c1789f
FQDN

akamaicontainer[.]com
akamaitechcloudservices[.]com
azuredeploystore[.]com
azureonlinecloud[.]com
azureonlinestorage[.]com

Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.

Tags:
Previous Post

Next Post