QID 378327

3CX Desktop Client 18.x for Windows and MacOS is known to be vulnerable to Supply Chain attack. The vulnerable software is known to extract ffmpeg.dll and the d3dcompiler_47.dll when installing a legitimate installer from the website or when updating older versions of 3CX Desktop Client.

These dll files are then used to execute the next stage of the attack. The dll files are used download icon files hosted on a GitHub repository containing Base64 encoded strings appended to the end of the images. The malware uses these Base64 strings to download a final payload to the compromised devices. The malware is capable of stealing system information and stored credentials from web browsers.

Note: The Github repository hosting the malicious icons has been taken down. Vendor is working on a new version of application.

Affected Versions:
3CX Desktop Client for Windows version 18.12.407
3CX Desktop Client for Windows version 18.12.416
3CX Desktop Client for MacOS version 18.11.1213
3CX Desktop Client for MacOS version 18.12.402
3CX Desktop Client for MacOS version 18.12.407
3CX Desktop Client for MacOS version 18.12.416

QID Detection Logic for Windows (Authenticated):
This QID checks for vulnerable version of 3CX Desktop Client by checking the file version of 3CXDesktopApp.exe file. Please note that this QID only checks the default installation location i.e. '%SYSTEMDRIVE%\Users\Administrator\AppData\Local\ProgramsCXDesktopApp' for checking the file version

QID Detection Logic for MacOS (Authenticated):
This QID checks for vulnerable version of 3CX Desktop Client by checking the installed apps.

The malware is capable of stealing system information and stored credentials from web browsers. Successful exploitation of the vulnerability may result in complete system compromise.