3CX Desktop App Compromised: Here’s What to Do ASAP
We have confirmation that malicious versions of both Windows and macOS of the 3CX Desktop App are being
deployed via trojanized updates. However, the application is available for Linux and mobile systems as well.
While the desktop applications for those platforms are not known to be compromised, we recommend removing them out of caution until 3CX’s investigation is completed.
While the news broke on Wednesday, March 29,
Bleeping Computer notes some customers have posted in
3CX forums that attacks have been observed as early as March 22. Vulnerable versions of the 3CX Desktop App
appear to be 18.12.407 and 18.12.416 on Windows and 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 on macOS.
Remediation Recommendations for 3CX
We have confirmation that malicious versions of both Windows and macOS of the 3CX Desktop App are being deployed via trojanized updates. However, the application is available for Linux and mobile systems as well.
We recommend that all 3CX customers who use the desktop application immediately:
1. Find and terminate all running 3CX processes on Windows, macOS, Linux, and mobile systems.
2. Find and remove all instances of the 3CX Desktop App on Windows, macOS, Linux, and mobile systems.
3. Use the 3CX web application/Web App (PWA) instead of the desktop application for now.
Find and terminate 3CX Desktop App Processes and remove all instances of the 3CX Desktop App
If you’re an Automox customer, the Worklet Catalog has automated remediation scripts for Windows,
macOS, and Linux available so that you can automatically find and terminate the running processes
and uninstall the 3CX Desktop App.
If you aren’t an Automox customer, the below scripts are in standard languages for
each affected operating system (except for mobile devices) and can be used to terminate
the 3CX process on Windows, macOS, and Linux endpoints.
The below scripts are written in PowerShell for Windows systems, and BASH for Linux and macOS systems.
These scripts were written and accurate as of the publishing of this blog on March 31, 2023.
For Windows systems
#This section will kill the 3CXDesktopApp process, if it is currently running....if (Get-Process -Name “3CXDesktopApp” -ErrorAction SilentlyContinue) { write-output “Found the process running, killing it!” Stop-Process -Name “3CXDesktopApp” -Force}#This section will rename the 3CXDesktopApp.Exe and Update.exe to a different filename, so they won’t get run automatically again.$ListOfLocations = @( “C:\Users\*\AppData\Local\Programs\3CXDesktopApp\3CXDesktopApp.exe”, “C:\Users\*\AppData\Local\Programs\3CXDesktopApp\Update.exe”, “C:\Program Files\3CXDesktopApp\3CXDesktopApp.exe”, “C:\Program Files\3CXDesktopApp\Update.exe” )foreach ($Location in $ListOfLocations){ $FoundInstances = Get-Item -Path $Location -ErrorAction SilentlyContinue foreach ($FoundInstance in $FoundInstances){ write-output “Found 3CX Desktop App Files at ‘$FoundInstance’, Renaming it...” Rename-Item -Path $FoundInstance -NewName “$($FoundInstance.Name)_RENAMED” }}For macOS systems
#!/bin/bash#================================================================# HEADER#================================================================# SYNOPSIS# Removes and uninstalls 3CX Desktop App## DESCRIPTION# This script checks to see if any processes are running or# if the application is installed for the system or user.## If any content is identified for the affected versions# they will be removed.## Affected versions: [“18.12.416” “18.11.1213" “18.12.407” “18.12.402"]# File paths in scope:# /# /Applications/# /Users/*/Applications/# /Users/*/Desktop/# /Library/Application Support/# /Users/*/Library/Application Support/### USAGE# ./remediation.sh##================================================================# IMPLEMENTATION# author Ben Glass##================================================================# HISTORY# 03/30/2023 : bglass : Script creation##================================================================# END_OF_HEADER#================================================================shopt -s nocaseglobappPattern=“3cx*desktop*.app”processPattern=“.*3cx.*desktop.*”vulnerableVersion=(“18.12.416” “18.11.1213" “18.12.407” “18.12.402")processRunning=$(pgrep “$processPattern” | wc -l)if [ “${processRunning}” -gt 0 ]; then echo “Process found for 3cx desktop app, terminating processes” pgrep -i “${processPattern}” | awk ‘{print $1}’ | xargs kill -9fi## List of application directories where the application may be installedinstallDirs=(“/${appPattern}” “/Applications/${appPattern}” “/Users/*/Applications/${appPattern}” “/Users/*/Desktop/${appPattern}“)## List of additional directories that may have files for the applicationsupportDirs=(“/Library/Application Support/${appPattern}” “/Users/*/Library/Application Support/${appPattern}“)for d in “${installDirs[@]}“; do if [ -d “${d}” ]; then currentVersion=$(mdls -name kMDItemVersion “${d}“| grep -o ‘[0-9]\+.[0-9]\+.[0-9]\+’) if [[ “${vulnerableVersion[*]}” =~ ${currentVersion} ]]; then echo “Vulnerable version found ${currentVersion}, removing from OS” rm -rf “${d}” for sd in “${supportDirs[@]}“; do if [ -d “${sd}” ]; then rm -rf “${sd}” fi done fi fidoneFor Linux systems
#!/bin/bash#================================================================# HEADER#================================================================#% SYNOPSIS#%#% DESCRIPTION#% This shuts off the 3cx unattended-upgrades and removes#% potentially infected files.#%#% USAGE#% ./remediation.sh#%#% EXAMPLES#% ./remediation.sh#%#================================================================#- IMPLEMENTATION#- version TWF-1326_create_linux_3cx_disable (www.automox.com) 1.0#- author Ted Harapat#-#================================================================# HISTORY# 3/30/2023 : Ted Harapat : Script creation# ##/##/#### : ####: Validated and catalogued##================================================================# END_OF_HEADER#================================================================FILEPATHS=“/var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.dmg /var/lib/3cxpbx/Instance1/Data/Http/electron/osx/*.zip /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.msi /var/lib/3cxpbx/Instance1/Data/Http/electron/windows/*.nupkg”# Disable 3CX Unattended-Upgrades Servicesystemctl stop unattended-upgrades# Collect the version of 3CX Desktop Apps on the Servercd /var/lib/3cxpbx/Instance1/Data/Http/electron || returnls -la ./* > /root/3cx-desktop-versions.log# Remove the filesfor badfile in $(/bin/ls -1 “$FILEPATHS”)do if [ -f “$badfile” ]; then /bin/rm -f “$badfile” fidoneexit 0Use the 3CX web application instead
As you terminate the 3CX Desktop App processes and remove the desktop application from your systems,
instruct users to use the 3CX web application.