3CX Desktop App Compromised (CVE-2023-29059)

2023-03-30 Fortinet

https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised

Thumbnail for 3CX Desktop App Compromised (CVE-2023-29059)

FortiGuard Labs reported CVE-2023-29059 as a trojanized 3CX Desktop App supply-chain compromise affecting Electron-based Windows versions 18.12.407 and 18.12.416 and macOS versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416. The malicious chain uses sideloaded ffmpeg.dll to read an encrypted blob from d3dcompiler_47.dll, decrypt shellcode, and attempt to pull ICO files from a now-removed GitHub repository that contained download URIs for later payloads. The source identifies malicious installer and DLL hashes, notes 3CX’s large global customer base, and advises discontinuing older desktop clients while using the unaffected web-based PWA option. Fortinet also mapped detections and blocked network indicators tied to the attack, but the core CTI finding is the compromised signed 3CX desktop software and staged payload delivery path.

Indicators of Compromise

Type Value First Seen Last Seen
HASH e6bbc33815b9f20b0cf832d7401dd89… 2023-03-29 2024-12-27
DOMAIN visualstudiofactory.com 2023-03-29 2024-09-09
DOMAIN akamaitechcloudservices.com 2023-03-29 2024-09-09
DOMAIN msedgepackageinfo.com 2023-03-29 2024-09-09
DOMAIN msstorageazure.com 2023-03-29 2024-09-09
DOMAIN azureonlinestorage.com 2023-03-29 2024-09-09
DOMAIN zacharryblogs.com 2023-03-29 2024-09-09
DOMAIN officestoragebox.com 2023-03-29 2024-09-09
DOMAIN pbxphonenetwork.com 2023-03-29 2024-09-09
DOMAIN sourceslabs.com 2023-03-29 2024-09-09
DOMAIN officeaddons.com 2023-03-29 2024-09-09
DOMAIN glcloudservice.com 2023-03-29 2024-09-09
DOMAIN pbxcloudeservices.com 2023-03-29 2024-09-09
DOMAIN azuredeploystore.com 2023-03-29 2024-09-09
DOMAIN pbxsources.com 2023-03-29 2024-09-09
DOMAIN msstorageboxes.com 2023-03-29 2024-09-09
DOMAIN journalide.org 2023-03-29 2023-05-09
HASH aa4e398b3bd8645016d8090ffc77d15… 2023-03-30 2023-05-02
HASH c485674ee63ec8d4e8fde9800788175… 2023-03-30 2023-04-28
HASH 7986bbaee8940da11ce089383521ab4… 2023-03-30 2023-04-28
HASH 11be1803e2e307b647a8a7e02d12833… 2023-03-30 2023-04-28
HASH 5407cda7d3a75e7b1e030b1f33337a5… 2023-03-29 2023-04-28
HASH dde03348075512796241389dfea5560… 2023-03-29 2023-04-28
HASH 59e1edf4d82fae4978e97512b0331b7… 2023-03-29 2023-04-28
HASH aa124a4b4df12b34e74ee7f6c683b2e… 2023-03-29 2023-04-28
DOMAIN qwepoi123098.com 2023-03-29 2023-04-28
DOMAIN akamaicontainer.com 2023-03-29 2023-04-28
DOMAIN dunamistrd.com 2023-03-29 2023-04-28
DOMAIN azureonlinecloud.com 2023-03-29 2023-04-28
HASH 6285ffb5f98d35cd98e78d48b63a05a… 2023-03-30 2023-03-31
HASH 92005051ae314d61074ed94a52e76b1… 2023-03-29 2023-03-31
HASH b86c695822013483fa4e2dfdf712c5e… 2023-03-29 2023-03-31
HASH bb915073385dd16a846dfa318afa3c19 2023-03-29 2023-03-31
HASH 480dc408ef50be69ebcf84b95750f7e… 2023-03-30 2023-03-30
HASH b5e318240401010e4453e146e3e6746… 2023-03-30 2023-03-30
HASH 08d79e1fffa244cc0dc61f7d2036aca9 2023-03-30 2023-03-30
HASH 54004dfaa48ca5fa91e3304fb99559a… 2023-03-30 2023-03-30
DOMAIN agent.cn 2023-03-30 2023-03-30
DOMAIN convieneonline.com 2023-03-29 2023-03-30
DOMAIN soyoungjun.com 2023-03-29 2023-03-30

Related Reports

« Back