3CX: The First Confirmed Double Supply Chain Attack

Threat Intelligence

In March 2023, a trojanized 3CX desktop app was traced back to a separately trojanized Trading Technologies installer. A look at the cascade, the DPRK operators behind it, and what downstream customers had to triage.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 3, 2024 · 8 min read

On March 29, 2023, CrowdStrike and SentinelOne independently published telemetry showing that 3CXDesktopApp, a softphone client used by ~600,000 customers, was beaconing to attacker infrastructure. Mandiant's incident response inside 3CX produced the finding that defined 2023's supply chain narrative: the initial compromise was not a 3CX zero-day or a build server intrusion in the SolarWinds sense. It was a separately trojanized installer from a different vendor that a 3CX employee installed on a corporate workstation.

Timeline of the cascade

1. April 2022: A 3CX employee downloads the X_Trader installer from Trading Technologies' legacy website. The installer is trojanized with VEILEDSIGNAL.
2. April 2022 onward: VEILEDSIGNAL backdoor establishes persistence on the employee's workstation and harvests corporate credentials.
3. Late 2022: UNC4736 (DPRK-linked) moves laterally into the 3CX build environment.
4. Early 2023: Trojanized 3CX Electron-based desktop installers ship for Windows and macOS. Sideloaded DLLs (ffmpeg.dll, d3dcompiler_47.dll) carry the malicious payload.
5. March 22, 2023: First customer reports of strange beaconing behavior.
6. March 29, 2023: Public disclosure. 3CX recalls the affected builds and ships a clean release.

Root cause: trust inheritance across vendors

Trading Technologies had decommissioned X_Trader in 2020 but left the installer on their site. The DPRK operators trojanized that abandoned binary and waited for downloads. 3CX inherited Trading Technologies' compromise the moment an employee ran the installer on a build-adjacent workstation. The 3CX desktop app was then signed with a legitimate 3CX certificate. From a customer's perspective, every trust signal was green.

What the operators did with access

The second-stage payload, ICONIC STEALER, was a Chrome and Edge information stealer. Telemetry from CrowdStrike and Volexity showed selective activation: the vast majority of 3CX customers who installed the trojanized version got the beacon but not the second stage. The operators focused on cryptocurrency-adjacent organizations, consistent with DPRK financial collection priorities. At least two cryptocurrency firms had wallet credentials exfiltrated.

Detection signals customers had to hunt for

• 3CXDesktopApp making outbound connections to azureonlinecloud[.]com, akamaicontainer[.]com, msstorageazure[.]com.
• Unsigned or signed-with-stolen-cert ffmpeg.dll and d3dcompiler_47.dll in the 3CX install directory.
• Chromium browser profile reads originating from 3CXDesktopApp.exe.
• Github-hosted ICO files being fetched, which encoded second-stage C2 addresses.

Lessons for vendor risk programs

The 3CX cascade reframed third-party risk as nth-party risk. Three practical shifts followed in our client base. First, software inventories now have to include developer workstation software, not just production dependencies, because that is where the cascade started. Second, code-signing certificates need to be issued from HSM-backed CAs with short-lived keys, so that a single workstation compromise cannot mint malicious binaries for months. Third, customer detection cannot rely on the vendor's disclosure; in 3CX's case, the public timeline shows ~7 days between active beaconing and disclosure, which is plenty of time for second-stage execution.

If your vendor's security depends on their employees not running random installers from abandoned vendor websites, your security depends on the same.

The 3CX investigation also delivered an underrated artifact: a CISA joint advisory that, for the first time, named a software vendor as a victim of another software vendor. That precedent matters. It made it harder for any compromised vendor to argue that disclosure was their unilateral decision.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.