3CX, a company that provides teleconferencing systems, is informing customers that their software has been abused by a threat actor to include an installer that beacons out to hacker-controlled servers.
The company’s software is digitally signed and contains a malicious payload. Infected parties have reported to security vendors that interactive command shells have been spawned on their systems.
3CX provides digital phone technology to over 600,000 companies according to their website. Including some of the world’s biggest brands: Mercedes, McDonalds, American Express, Honda, BMW, the National Health Service of the UK, Toyota, Coca Cola and many more.

Pierre Jourdan—CISO at 3CX—published a blog post on the company’s website informing that their Electron Windows App versions 18.12.407 & 18.12.416 have a security issue that is being flagged by antivirus companies.
The software includes a backdoor version of the ffmpeg.dll, an open-source software containing libraries and programs for handling video and audio streams.
3CX are working on a new Windows application and are issuing a new certificate for the app. In the meantime they suggest customers use their web application instead, as it has 95% of the functionality of the native application. Pierre also clarified why the company even has two applications:
“The reason we have two apps is that when we started the Electron App, the PWA [web application] technology was not available yet. Now it's mature and working really well.”
Domains contacted by the malicious library have been reported and mostly taken down by registrars.
NORTH KOREA ANGLE
Cyber security researcher John Hammond at Huntress, had provided a technical deep dive into the malware and have reason to believe that the attack could be orchestrated by North Korean threat actors.
SUPPLY CHAIN ATTACKS
Supply chain attacks like these are particularly devastating because clients update their software in good faith, not knowing that the software manufacturer is actually providing them with malware. There have been a string of notable software supply chain compromises over the last few years such as SolarWinds, Kaseya and Codecov.
Silas Cutler, Director of Cyber Threat Research & Analysis at the Institute for Security and Technology, released a tool that helps companies easily identify if they may have been impacted by the malware.
HOLD THEM ACCOUNTABLE
TEARLINE reported recently on the White House’s plan to hold software manufacturers liable when they ship bad products. It’s unclear if in this instance, 3CX would be held liable, if the legislation is ever passed.
Updated on 2nd Apr 2023 to include tool from Silas Cutler.