North Korean hackers attack hundreds of thousands of companies globally

Researchers from several information security companies reported a large-scale hacking attack on users of 3CX Phone’s VoIP telephony applications.

Attackers from the Labyrinth Chollima group, allegedly linked to the North Korean government, managed to integrate the trojan into 3CX applications for Windows and macOS, used by more than 600,000 companies worldwide, TechNewsSpace reports.

According to available data, hackers managed to compromise 3CX’s software build system, which is used to create and distribute new versions of the company’s software products for Windows and macOS platforms. Control over this system gave attackers the ability to hide the trojan in legitimate VoIP telephony applications signed with a valid 3CX certificate. Because of this, millions of users could be at risk as 3CX applications are used by companies all over the world including American Express, Mercedes-Benz, Price Waterhouse Cooper and others.

According to the source, versions of applications released in March this year could pose a threat. We are talking about versions 18.12.407 and 18.12.416 for Windows and 18.11.1213, 18.12.402, 18.12.407 and 18.12.416 for macOS. The attack mechanism is triggered when a user downloads an MSI installer from the 3CX website or downloads an update package. During the installation process, several malicious DLL files are extracted that are required for the next stage of the attack. Although the installer executable itself is not malicious, it uses the mentioned libraries to download, extract and execute the encrypted payload.

After that, ICO files with additional lines of code are downloaded from GitHub repository, which are used to deliver the final payload to victims’ devices. The source notes that the first ICO files were added to GitHub in December last year. The malware itself is a previously unknown trojan horse designed to steal information, including logins and passwords stored in web browsers.

3CX CEO Nick Galea wrote a message on the company’s forum, where he apologized for the incident. He also recommended that users remove versions of applications compromised by attackers and temporarily switch to using the web version of the softphone.