On or around the 29th March 2023 Crowdstrike observed malicious activity from legitimate signed binaries for the application 3CXDesktop. On 30th March 2023 and engagement ensued. The attack chain indicates that it was a trojan-iased application with a dynamic link library (DLL) of a malicious version of an open source video player. The DLL is loaded by the executable 3CXDDesktop exe application which then runs from a GitHub library. It is recommended that any orgs check to see if they use this player or have it installed. Vendor reporting suggest that it is affiliated with state sponsored activity. Indicators of compromise has been included in the respective sourced reports.
Sources: Crowdstrike
SentinelOne
------------------------------
Derek Buchanan
Threat Intel lead
Vodafone
------------------------------