On Wednesday, March 29, 2023, Sophos MDR Operations and Sophos X-Ops Threat Intelligence started investigating an attack on the Voice Over Internet Protocol (VOIP) client, 3CXDesktop.

The attack includes a digitally signed and trojanized version of the softphone desktop client (known as the 3CX DesktopApp) for both Windows and MacOS. The application has been abused by the threat actor to add an installer that communicates with various command-and-control (C2) servers.

How Can You Determine If You Are Affected?

Sophos has discovered and documented multiple indicators of compromise (IoCs) as well as multiple queries that can be used by threat hunters to perform searches in their own environments. You can visit the Sophos X-Ops Blog for the most up to date information.

A list of IOCs for this attack is published on our GitHub.

What Action Should You Take?

Sophos strongly recommends you take this threat seriously and act immediately, if you have not already done so.

  1. Stay alert for communication directly from 3CX, or through the 3CX blog or the 3CX forum
  2. 3CX has already identified which versions are affected and the recommended next steps on the 3CX blog
  3. In the event any suspicious activity is observed from these hosts, consider network isolation until detailed vendor guidance from 3CX has been issued

If you need expert assistance to determine exposure or remediate the situation, there are services available through Sophos Partners to help:

  • Managed Detection and Response (MDR) – a managed security service that hunts for threats and identifies adversarial activity in your environment, and neutralizes the situation
  • Rapid Response (RR) – if you have already identified an active attack in your environment, our incident response experts can provide immediate assistance to neutralize the attack

Sophos protection

Sophos has taken the following actions to protect customers from this attack:

  • Blocked the malicious domains
  • Published the endpoint detection: Troj/Loader-AF
  • Blocked the list of known C2 domains associated with the threat, and will continue to add to that list
  • For Sophos MDR customers, the MDR Detection Engineering team has a variety of behavioral detections in place that will detect follow up activity

Determining impact with Sophos XDR

Sophos XDR enables organizations to determine whether hosts have communicated with threat actor infrastructure. We have created a custom query that is available here.

More information