We have confirmation that malicious versions of both Windows and macOS of the 3CX Desktop App are being
deployed via trojanized updates. However, the application is available for Linux and mobile systems as well.
While the desktop applications for those platforms are not known to be compromised, we recommend removing them out of caution until 3CX’s investigation is completed.

While the news broke on Wednesday, March 29, 
Bleeping Computer notes some customers have posted in
3CX forums that attacks have been observed as early as March 22. Vulnerable versions of the 3CX Desktop App 
appear to be 18.12.407 and 18.12.416 on Windows and 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 on macOS.

Remediation Recommendations for 3CX

We have confirmation that malicious versions of both Windows and macOS of the 3CX Desktop App are being deployed via trojanized updates. However, the application is available for Linux and mobile systems as well.

We recommend that all 3CX customers who use the desktop application immediately:

1. Find and terminate all running 3CX processes on Windows, macOS, Linux, and mobile systems.

2. Find and remove all instances of the 3CX Desktop App on Windows, macOS, Linux, and mobile systems.

3. Use the 3CX web application/Web App (PWA) instead of the desktop application for now.

Find and terminate 3CX Desktop App Processes and remove all instances of the 3CX Desktop App

If you’re an Automox customer, the Worklet Catalog has automated remediation scripts for Windows,
 macOS, and Linux available so that you can automatically find and terminate the running processes
and uninstall the 3CX Desktop App.

If you aren’t an Automox customer, the below scripts are in standard languages for
each affected operating system (except for mobile devices) and can be used to terminate
the 3CX process on Windows, macOS, and Linux endpoints.

The below scripts are written in PowerShell for Windows systems, and BASH for Linux and macOS systems.
These scripts were written and accurate as of the publishing of this blog on March 31, 2023.

#This section will kill the 3CXDesktopApp process, if it is currently running....
if (Get-Process -Name “3CXDesktopApp” -ErrorAction SilentlyContinue) {
    write-output “Found the process running, killing it!”
    Stop-Process -Name “3CXDesktopApp” -Force
}
#This section will rename the 3CXDesktopApp.Exe and Update.exe to a different filename, so they won’t get run automatically again.
$ListOfLocations = @(
    “C:\Users\*\AppData\Local\Programs\3CXDesktopApp\3CXDesktopApp.exe”,
    “C:\Users\*\AppData\Local\Programs\3CXDesktopApp\Update.exe”,
    “C:\Program Files\3CXDesktopApp\3CXDesktopApp.exe”,
    “C:\Program Files\3CXDesktopApp\Update.exe”
    )
foreach ($Location in $ListOfLocations){
    $FoundInstances = Get-Item -Path $Location -ErrorAction SilentlyContinue
    foreach ($FoundInstance in $FoundInstances){
        write-output “Found 3CX Desktop App Files at ‘$FoundInstance’, Renaming it...”
        Rename-Item -Path $FoundInstance -NewName “$($FoundInstance.Name)_RENAMED”
    }
}

#!/bin/bash
#================================================================
# HEADER
#================================================================
#  SYNOPSIS
#    Removes and uninstalls 3CX Desktop App
#
#  DESCRIPTION
#    This script checks to see if any processes are running or
#    if the application is installed for the system or user.
#
#    If any content is identified for the affected versions
#    they will be removed.
#
#    Affected versions: [“18.12.416” “18.11.1213" “18.12.407” “18.12.402"]
#    File paths in scope:
#      /
#      /Applications/
#      /Users/*/Applications/
#      /Users/*/Desktop/
#      /Library/Application Support/
#      /Users/*/Library/Application Support/
#
#
#  USAGE
#    ./remediation.sh
#
#================================================================
#  IMPLEMENTATION
#    author          Ben Glass
#
#================================================================
#  HISTORY
#    03/30/2023 : bglass : Script creation
#
#================================================================
# END_OF_HEADER
#================================================================
shopt -s nocaseglob
appPattern=“3cx*desktop*.app”
processPattern=“.*3cx.*desktop.*”
vulnerableVersion=(“18.12.416” “18.11.1213" “18.12.407” “18.12.402")
processRunning=$(pgrep “$processPattern” | wc -l)
if [ “${processRunning}” -gt 0 ]; then
  echo “Process found for 3cx desktop app, terminating processes”
  pgrep -i “${processPattern}” | awk ‘{print $1}’ | xargs kill -9
fi
## List of application directories where the application may be installed
installDirs=(“/${appPattern}” “/Applications/${appPattern}” “/Users/*/Applications/${appPattern}” “/Users/*/Desktop/${appPattern}“)
## List of additional directories that may have files for the application
supportDirs=(“/Library/Application Support/${appPattern}” “/Users/*/Library/Application Support/${appPattern}“)
for d in “${installDirs[@]}“; do
  if [ -d “${d}” ]; then
    currentVersion=$(mdls -name kMDItemVersion “${d}“| grep -o ‘[0-9]\+.[0-9]\+.[0-9]\+’)
    if [[ “${vulnerableVersion[*]}” =~ ${currentVersion} ]]; then
      echo “Vulnerable version found ${currentVersion}, removing from OS”
      rm -rf “${d}”
      for sd in “${supportDirs[@]}“; do
        if [ -d “${sd}” ]; then
          rm -rf “${sd}”
        fi
      done
    fi
  fi
done

#!/bin/bash
#================================================================
# HEADER
#================================================================
#% SYNOPSIS
#%
#% DESCRIPTION
#%    This shuts off the 3cx unattended-upgrades and removes
#%    potentially infected files.
#%
#% USAGE
#%    ./remediation.sh
#%
#% EXAMPLES
#%	  ./remediation.sh
#%
#================================================================
#- IMPLEMENTATION
#-    version         TWF-1326_create_linux_3cx_disable (www.automox.com) 1.0
#-    author          Ted Harapat
#-
#================================================================
#  HISTORY
#     3/30/2023 : Ted Harapat : Script creation
#     ##/##/#### : ####: Validated and catalogued
#
#================================================================
# END_OF_HEADER
#================================================================
FILEPATHS=“/var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg”
# Disable 3CX Unattended-Upgrades Service
systemctl stop unattended-upgrades
# Collect the version of 3CX Desktop Apps on the Server
cd /var/lib/3cxpbx/Instance1/Data/Http/electron || return
ls -la ./* > /root/3cx-desktop-versions.log
# Remove the files
for badfile in $(/bin/ls -1 “$FILEPATHS”)
do
  if [ -f “$badfile” ]; then
    /bin/rm -f “$badfile”
  fi
done
exit 0

Use the 3CX web application instead

As you terminate the 3CX Desktop App processes and remove the desktop application from your systems,

instruct users to use the 3CX web application.