Sophos X-Ops is tracking an attack against the 3CX Desktop application, possibly undertaken by a nation-state-related group.
The affected software is 3CX – a legitimate software-based PBX phone system available on Windows, Linux, Android, and iOS. The application has been abused by the threat actor to add an installer that communicates with various command-and-control (C2) servers.
A list of IOCs for this attack is published on our GitHub.
Sophos has taken the following actions to protect customers from this attack:
- Blocked the malicious domains
- Published the following detections:
- Troj/Loader-AF (Trojanized ffmpeg.dll)
- Troj/Mdrop-JTQ (installers)
- OSX/Mdrop-JTR (installers)
- OSX/Loader-AG (Trojanized ffmpeg.dll)
- Mal/Generic-R / Mal/Generic-S (d3dcompiler with appended shellcode)
- Blocked the list of known C2 domains associated with the threat, and will continue to add to that list
- Flagged the two malicious versions of the ffmpeg.dll bundled in the affected 3CXapplication as being of low reputation
- For Sophos MDR customers, the MDR Detection Engineering team has a variety of behavioral detections in place that will detect follow up activity
Determining impact with Sophos XDR
For further insights into the attack, read the article from Sophos X-Ops here.