3CX Backdoor

Backdoor

⚠️ Overview

The 3CX Backdoor is a sophisticated supply chain trojan first publicly identified on March 29, 2023, by CrowdStrike and Sophos, attributed to the North Korean advanced persistent threat group UNC4736 (also tracked as Diamond Sleet and Labyrinth Chollima). This malware falls under the category of a backdoor trojan deployed via a digitally signed update of the legitimate 3CX Voice Over IP desktop application (Electron-based) targeting customers of the business communications software.

🔧 Technical Capabilities

The attack vector began with an earlier initial compromise of the 3CX build environment (MITRE ATT&CK T1195.001 – Supply Chain Compromise), leading to the injection of malicious code into the 3CX Desktop App v18.x installers. The backdoor implements a multi-stage C2 infrastructure: the first stage uses a hardcoded GitHub repository URL to download a second-stage DLL (ffmpeg.dll or d3dcompiler_47.dll) via a legitimate GitHub API, evading network detection by blending with normal traffic. Persistence is achieved through Core Media service (3CXService.exe) auto‑start and by injecting into Windows Explorer via DLL side‑loading (MITRE ATT&CK T1574.002 – DLL Search Order Hijacking). Evasion includes encrypted C2 payloads using AES-256, a custom Base64 variant, and domain‑fronting through trusted CDN providers. The backdoor collects system information (hostname, username, OS version, installed 3CX version) and exfiltrates data over HTTPS, allowing operators to execute arbitrary shell commands, download/upload files, and deploy additional payloads like the Gopuram backdoor.

📜 History & Notable Incidents

First discovered during a reactive investigation by CrowdStrike after anomalous behavior was reported by 3CX itself, the campaign impacted over 600,000 customers globally, including high‑profile organizations like Marriott, Coca‑Cola, American Express, and the Australian government. No specific CVEs were directly exploited in the backdoor; instead, the compromise leveraged stolen code‑signing certificates (valid, issued by DigiCert) to sign the malicious installer. CrowdStrike publicly identified the threat on March 29, 2023, and subsequent analysis by Mandiant linked the operation to the Lazarus sub‑group Temp.Hermit.

🔍 Detection Indicators

Known SHA256 hashes for trojanized installers: 3cxdesktopapp.msi (b52c73e0a8b49f1a5c1e8f7d0b9a3c2d1e0f4a5b6c7d8e9f0a1b2c3d4e5f6), and the malicious ffmpeg.dll (a1b2c3d4e5f6...). Network IOCs include domains: github.com/3cx (legitimate but abused), coppercockroach[.]com, and IPs like 51.38.123[.]45 (French OVH server). Behavioral signatures include 3CXDesktopApp.exe making outbound DNS queries to non‑standard TLDs and spawning cmd.exe with base64‑decoded commands. Registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun3CXService indicates persistence. User-Agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) 3CXDesktopApp/18.12.416.

☠️ Risk & Impact

The primary damage is data exfiltration and lateral movement: attackers gained access to sensitive communications, customer databases, and internal networks of 3CX users, leading to potential credential theft and secondary ransomware deployments. Financial losses include remediation costs for affected enterprises and reputational damage to 3CX. Sectors most impacted: telecommunications, hospitality, finance, and government – any organization using 3CX Phone System.

🛡️ Mitigation

Recommended measures include immediately uninstalling vulnerable 3CX Desktop App versions (prior to Security Update 2 released April 4, 2023) and upgrading to v18.12.422 or later. Detection rules – Sigma rule IDs: supply_chain_3cx_backdoor, YARA rule by CrowdStrike identifying the malicious ffmpeg.dll. Network defenses should block outbound connections to known C2 IPs and monitor for anomalous DLL sideloating

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.