Uninstall Now: Hackers Hijack 3CX Desktop App to Deliver Malware

If you use the 3CX desktop app for Windows or Mac, watch out: Hackers have hijacked the software to deliver malware to computers.

On Wednesday, cybersecurity providers noticed malicious activity coming from the legitimate 3CX desktop app, which is used to make VoIP and video conferencing calls.

“At this time, activity has been observed on both Windows and macOS,” security firm Crowdstrike says in a blog post(Opens in a new window). The company has also uncovered evidence the malicious activity is coming from the infamous North Korean state-sponsored group known as Lazarus, which the FBI tied to the 2014 Sony Pictures hack. 

In response, 3CX CEO Nick Galea is urging(Opens in a new window) users to uninstall the affected software, which includes versions 18.12.407 and 18.12.416 of the Windows app. The company is working on an update to fully resolve the threat. In the meantime, 3CX says users can use its web-based app(Opens in a new window) as a substitute. 

It remains unclear how the hackers breached 3CX to hijack the desktop app. But they somehow triggered the 3CX software to run an update process that causes the app to load malware components, including an infostealer that can pull data like passwords from a browser, according(Opens in a new window) to security firm Trend Micro.

How the attack works.


A diagram of how the attack works.
(Credit: Huntress)

The malicious activity from the app has prompted several cybersecurity providers to block the threat and even uninstall the software, so some customers may be protected from the attack. But many others likely are not. Security firm Huntress notes(Opens in a new window) as many as 242,519 devices may have been compromised.  

Recommended by Our Editors

3CX says its clients include 600,000 businesses, along with 12 million daily users. These businesses include(Opens in a new window) medical providers, hotels, and schools, along with major vendors like McDonald’s, Toyota, and Chevron. Hence, the incident risks exposing numerous organizations to hacker infiltration.

3CX says the hackers appear to have selectively chosen which computers to hit. “The vast majority of systems, although they had the files dormant, were in fact never infected,” it adds.

SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.”,”first_published_at”:”2021-09-30T21:22:09.000000Z”,”published_at”:”2022-03-24T14:57:33.000000Z”,”last_published_at”:”2022-03-24T14:57:28.000000Z”,”created_at”:null,”updated_at”:”2022-03-24T14:57:33.000000Z”})” x-show=”showEmailSignUp()” class=”rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 mt-8 container-xs” readability=”31.423799582463″>

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

Facebook Comments Box

Hits: 0