Lucene search

qualysblogAkshat PradhanQUALYSBLOG:A68A10EB0081B025E1FF7499531F26B8
HistoryApr 04, 2023 - 12:16 a.m.

3CXDesktopApp Backdoored in a Suspected Lazarus Campaign

Akshat Pradhan
3cx voip
north korean
supply chain attack
info stealer






The attack involved a compromised version of the 3CX VoIP desktop client, which was used to target 3CX's customers. The compromised 3CX application is a private automatic branch exchange (PABX) software and is available for Windows, macOS, Linux, Android, IOS and Chrome. Currently, there are reports of attacks for both Windows and macOS.

The Qualys Threat Research Unit (TRU) is tracking a supply chain compromise in a popular VOIP desktop client by 3CX that is attributed to DPRK nation-state adversaries. The attack was reported in late March 2023 and is an ongoing investigation.

Executive Summary

  • The North Korean state-sponsored group Labyrinth Chollima have been identified as the perpetrators behind the supply chain compromise of 3CXDesktopApp beta 18.12.407 and final 18.12.416 applications. The affected applications are signed and have valid signatures.
  • The adversary infrastructure on GitHub used for staging the attack has now been taken down. This means that newer infections will not occur. However, the attack's potential impact was significant, as the software is widely used by businesses around the world.
  • To mitigate the risk, affected users are recommended to immediately uninstall the application and perform a full system scan to detect and remove any associated malware.
  • This threat is being tracked as by MITRE as CVE-2023-29059

Fig.1 Campaign flow

Technical Summary

Once the affected version of 3CX is installed or updated, it drops a compromised ffmpeg.dll as well as d3dcompiler_47.dll, which contains embedded shellcode. When 3CXDesktopApp starts, it sideloads the compromised ffmpeg.dll, which in turn decodes the embedded shellcode from d3dcompiler_47.dll and loads it. The shellcode accesses a GitHub repository and brings down icon files which contain encrypted C2 strings that the shellcode then decrypts and communicates to. The adversary has also deployed a previously unseen info stealer in the later stages of the attack and we have provided an analysis for it in later sections. This info stealer gathers system information and browser data from Chrome, Edge, Brave, and Firefox. This info stealer was likely meant to identify interesting targets for the operators.

Existing customers of Qualys can follow the steps in the Detection and Protection sections to identify potential impacts. We also recommended that customers implement robust security measures, such as regular vulnerability assessments, patch management regular auditing of vendors.

Overall, this supply chain attack highlights the importance of ensuring the security and integrity of the supply chain, as well as the need for businesses to remain vigilant and proactive in their security measures.

Operating System Hash Filename
Windows aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868 3cxdesktopapp-18.12.407.msi
Windows 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983 3cxdesktopapp-18.12.416.msi
macOS 5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290 3CXDesktopApp-18.11.1213.dmg
macOS e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec 3cxdesktopapp-latest.dmg
Table.1 Details of the affected Applications

Technical Analysis of Infection Stages

First Stage Analysis

The original MSI file which initiated the infection drops three files “3CXDesktopApp.exe”, “ffmpeg.dll”, and “d3dcompiler_47.dll”. 3CXDesktopApp.exe is the legitimate VOIP desktop application and is abused for side loading “ffmpeg.dll”.

File Type MD5 SHA256
DLL PE 64bits ffmpeg.dll 27B134AF30F4A86F177DB2F2555FE01D C485674EE63EC8D4E8FDE9800788175A8B02D3F9416D0E763360FFF7F8EB4E02
DLL PE 64bits D3dcompiler_47.dll 82187AD3F0C6C225E2FBA0C867280CC9 11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03
Table.2 Initial dropped samples

Once “ffmpeg.dll” is loaded, it tries to enumerate the current directory for the second DLL “d3dcompiler_47.dll”. Once found, the “ffmpeg.dll” loads the second DLL into memory.

Fig.2 ffmpeg enumerating current directory

The “d3dcompiler_47.dll” DLL has an encrypted payload embedded in it. ffmpeg.dll tries to identify this payload using the signature “0xCEFAEDFE”.

Fig.3 Embedded encrypted payload

After the identification of the encrypted payload. “ffmpeg.dll” will try to decrypt it using the RC4 encryption scheme with the key “3jB(2bsG#@c7”.

Fig.4 RC4 decryption

The decrypted payload is shown below. Also, a call to VirtualProtect() is made to give the PAGE_EXECUTE_READWRITE permissions for the payload to be executed.

Fig.5 Decrypted payload

The decrypted payload that is going to be executed contains another embedded DLL as shown below. The DLL is dumped from memory to perform more investigations on it.

Fig.6 Dll loading by encrypted payload

Second Stage Analysis

The embedded DLL will mainly try to fetch malicious “ico” files from the GitHub Repository “https://raw[.]githubusercontent[.]com/IconStorages/images/main/icon%d[.]ico”. The repository contains multiple icon files that have Base64 and AES encrypted C2’s appended to them. The full list of decoded C2’s is listed in the IOC section. This repository has already been taken down. Qualys TRU detected an info stealer involved in the infection chain and considers it as a later-stage payload.

Fig. 7 GitHub repository

Info Stealer Analysis

File Type MD5 SHA256 Signature Compilation Time
DLL PE 64bits 7FAEA2B01796B80D180399040BB69835 8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423 N/A Fri Mar 17 00:32:58 2023
Table.4 Info stealer details

The info stealer was deployed in the later stages of the infection chain and is a previously unseen sample. Its capabilities are mainly gathering system and browser information, including Chrome, Edge, Firefox, and Brave Browsers.

Fig.8 Browser DB location

The info stealer uses queries to fetch browsers history and data for Edge, SQLite database history for chrome and “Places” Table for Firefox.

Fig.9 SQL queries for collection

The info stealer also collects information on infected hosts, such as domain name, Hostname and OS Version, using NetWkstaGetInfo() API. Following locations are accessed by the information stealer:

  • Google Chrome - AppData\Local\Google\Chrome\User Data
  • Microsoft Edge - AppData\Local\Microsoft\Edge\User Data
  • Brave Browser - AppData\Local\BraveSoftware\Brave-Browser\User Data
  • Mozilla Firefox - AppData\Roaming\Mozilla\Firefox\Profiles
    Fig.10 System data collection -1

Fig.10 System data collection -2

Qualys Detection & Protection

The first step in assessing the risk of this attack to an organization is understanding if this software is in use. Users of the Qualys Cyber Security Asset Management can quickly identify all installed software across their organization. For example, within seconds, you can use the below query to identify assets with instances of the 3CX Desktop Application.

_software:(name:"3CX Desktop App 18.12″) _

Fig.12 CSAM Software Search

Qualys VMDR also has QID 378327 ready to detect assets which have the vulnerable version of the 3CXDesktopApp.exe file present on their machines. Qualys Vulnerability Management Detection and Response (VMDR) users can scan their environment with this QID to quickly detect impacted systems. Example output:

Fig.13 VMDR QID 378327 details

Alternatively, another option is to gather data from endpoints to hunt for the existence of the impacted software. Two such open-source scripts are available on GitHub. The 3cxIngectionHunter script will simply crawl the filesystem looking for instances of the infected ffmpeg.dll file and report back if there is a match to the malicious hash. The 3CXLocalDNSCacheHunter script will collect the local DNS cache and look for a match against some of the known URLs associated with this campaign. Using Qualys Custom Asset and Remediation, you can utilize the following PowerShell community scripts to identify potential infected assets by either copying the contents of the script manually or pointing the tool to the GitHub script directly to download.

Fig.14 CAR Scripts

Users of Custom Assessment and Remediation and Qualys Patch Management can also push scripts to uninstall the impacted software automatically. These scripts will be published to GitHub in the coming days. An example output from a system that does not have a vulnerable version of ffmpeg.dll installed:

Fig.15 CAR script output

CAR can also be leveraged to remediate this vulnerability. You need to execute this uninstallation script provided by Qualys. This script checks for 3CX Desktop App’s vulnerable version 18.12.407.0 & 18.12.416.0 for Windows. If any of these versions are installed on the system, the script will attempt to uninstall the vulnerable application.

Fig.16 CAR script for remediation

You can also create dashboards for better visualization.

Fig.17 CAR dashboard for 3CX

Qualys Multi-Vector EDR customers are protected against this threat as both the installer and the beacon are detected and will be remediated. (Note: our instance was set to audit-only mode for analysis.)

Fig.18 EPP Scan Results

Fig.19 Epp Detection for shellcode loader

Multi-Vector EDR customers can also hunt through telemetry, looking for behavior indicators to identify this threat activity. A first step would look for instances where the 3cxdesktopapp.exe process executed in the environment using a QQL Query of"3xcdesktopapp.exe”. Here you would want to look for evidence of the ffmpeg.dll file being loaded, which would be indicative that this machine may be impacted by this campaign.

Fig.20 EDR Behavioral Detection Telemetry

Fig.21 EDR Shellcode Loader Detection

Fig.22 Loaded malicious ffmpeg.dll telemetry

While Qualys Endpoint Protection (EPP) users will be automatically protected by default, Qualys EDR-only customers can use the recently released auto-remediation feature to automatically take action.


Supply chain compromises are a growing concern for businesses, as they can lead to serious security breaches and financial losses. The attack was a multi-stage chain where attackers compromised a version of the 3CX VoIP desktop client, which was then used to target the company's customers. This is reminiscent of the SolarWinds campaign that we examined back in December 2022.

Organizations should take immediate steps to stop using the vulnerable version of the software, apply patches and monitor for anomalous behavior in 3CX processes. It is also essential to enable behavioral monitoring to detect the presence of such attacks within the system.


Tactic Technique ID Technique Name
Resource Development T1608.001 Stage Capabilities: Upload Malware Resource Development
Table.5 MITRE mapping









Embedded dll 


Trojanized 3cxDesktopApp 





Infostealer dll 



GitHub Repository 
























Icon File Hashes 
















  • Travis Smith, Vice President, Threat Research Unit, Qualys
  • Irfan Asrar, Director, Malware and Threat Research, Qualys
  • Mayuresh Dani, Manager, Threat Research. Qualys
  • Sabri Naoufal, Senior Malware Analyst, Qualys
  • Mohammad Shabbir, Malware Analyst, Qualys
  • Akshat Pradhan, Senior Engineer, Threat Research, Qualys





Related for QUALYSBLOG:A68A10EB0081B025E1FF7499531F26B8