This is a developing story that team's across Todyl are continuing to track and will provide updates as necessary. For the latest information, scroll to the bottom of this post.

Todyl is actively tracking a malicious actor campaign targeting users of the 3CX softphone telephony platform. Both preventions and detections across multiple Todyl modules have been released, in addition to active threat hunting from the MXDR Team. 

As of 10:43AM MT, VirusTotal is reporting that no vendors are actively detecting this threat. The actions mentioned below significantly reduce risk of infection for tenants leveraging Todyl’s Endpoint Security leveraging Elastic Security, SIEM, and SASE modules. 

The campaign is currently attributed to the threat actor, LABYRINTH CHOLLIMA, associated with the Democratic People’s Republic of Korea. Todyl’s ATI (Adversary Threat Intelligence) team is continuing to monitor developments and coordinating with both the MXDR and Detection Engineering teams. 

As of 10:35AM MT, the Detection Engineering team performed the following actions to prevent and detect campaign associated activity:

• All known malicious hashes are proactively blocked via Todyl’s Endpoint Security module
• All known network indicators are blocked via the SASE module
• Detections are being added to the SIEM module
• The ATI team is continuing to monitor the situation for changes and coordinating with Detection Engineering to release additional preventions and detections
• MXDR is actively hunting for signs of compromise and will directly contact impacted partners

Digging deeper into the activity, the threat actor group signed a malware binary that beacons to C2 infrastructure and a 2nd stage malware payload download. The malware is signed with 3CX’s certificate, creating complexity for prevention using traditional security controls. 

Todyl’s ATI and MXDR teams will continue to update via blog and MXDR communication channels as more information becomes available.  

Figure 1: Screenshot from VirusTotal highlighting there are no current detections 

Update 1 (11:18AM MT): Vulnerable Versions

Currently known vulnerable version numbers for the 3CX softphone telephony platform include:

Windows:

• 3cxdesktopapp-18.12.407.msi
• 3cxdesktopapp-18.12.416.msi

Mac:

• 3CXDesktopApp-18.11.1213.dmg
• 3cxdesktopapp-latest.dmg

Update 2 (2:12PM MT): Known Timeline

On March 22nd at 3:25AM MT, Todyl’s Endpoint Security module’s memory threat prevention blocked a hash from the Update[.]exe binary. From there, we saw numerous additional alerts for hashes in both the update process and app (3CXDesktopApp[.]exe), all of which were indicators of shellcode injections into the app process. The process parent hashes include:

• 72349cf4971607c1bc66314069f0c864e8aa4336a663f2afbc2cb7e852465430
• 5d99efa36f34aa6b43cd81e77544961c5c8d692c96059fef92c2df2624550734

The child hash is: 

• fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405