cbcvebase.
CVE-2023-29059
published 2023-03-30

CVE-2023-29059: 3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the 3CX…

PriorityP278high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
4.37%
90.1th percentile
3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the 3CX DesktopApp Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the 3CX DesktopApp Electron macOS application.

Affected

4 ranges
VendorProductVersion rangeFixed in
3cx3cx
3cx3cx
3cx3cx
3cx3cx

Detection & IOCsextracted from sources · hover to see the quote

hash27b134af30f4a86f177db2f2555fe01d
hash82187ad3f0c6c225e2fba0c867280cc9
hash7faea2b01796b80d180399040bb69835
hash7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
hash92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61
hashb86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb
hashb5e318240401010e4453e146e3e67464dd625cfef9cd51c5015d68550ee8cc09
hashaa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973
hasha64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67
hashdde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc
hashfad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405
hash54004dfaa48ca5fa91e3304fb99559a2395301c570026450882d6aad89132a02
hash08d79e1fffa244cc0dc61f7d2036aca9
hashbb915073385dd16a846dfa318afa3c19
domainakamaicontainer.com
domainakamaitechcloudservices.com
domainazuredeploystore.com
domainazureonlinecloud.com
domainazureonlinestorage.com
domaindunamistrd.com
domainglcloudservice.com
domainjournalide.org
domainmsedgepackageinfo.com
domainmsstorageazure.com
domainmsstorageboxes.com
domainofficeaddons.com
domainofficestoragebox.com
domainpbxcloudeservices.com
domainpbxphonenetwork.com
domainpbxsources.com
domainqwepoi123098.com
domainsbmsa.wikisourceslabs.com
domainvisualstudiofactory.com
domainzacharryblogs.com
domainconvieneonline.com
domainsoyoungjun.com
filenameffmpeg.dll
filenamed3dcompiler_47.dll
pathC:\Users\Admin\AppData\Local\Programs\3CXDesktopApp\app-18.12.407\3CXDesktopApp.exe
  • Scan for the malicious ffmpeg.dll hash on the filesystem; the 3cxInjectionHunter script crawls the filesystem looking for instances of the infected ffmpeg.dll and reports a match to the malicious hash
  • Check local DNS cache for matches against known malicious C2 domains associated with this campaign using the 3CXLocalDNSCacheHunter script
  • The second 3CXDesktopApp.exe inside the app-18.12.407 subfolder (not the root install path) is the one that sideloads the malicious ffmpeg.dll — differentiate by path and file size (142MB vs 541KB)
  • Block or alert on all network connections to the listed actor-controlled C2 domains (akamaicontainer[.]com, akamaitechcloudservices[.]com, azuredeploystore[.]com, etc.) via web filtering or DNS sinkholes
  • Use Fortinet AV signatures W64/Agent.CFM!tr, OSX/Agent.CN!tr, and Riskware/Sphone_XC3 to detect the trojanized installer and DLL components
  • Check Point detections: Trojan-Downloader.Win.SmoothOperator and Trojan.Wins.SmoothOperator cover this threat in Threat Emulation and Harmony Endpoint
  • ·The GitHub repository hosting the ICO files with encrypted C2 strings has been taken down; second-stage payload delivery via this channel is no longer active for new infections
  • ·Only the Electron framework versions of the 3CX DesktopApp are affected (Windows 18.12.407 and 18.12.416; macOS 18.11.1213, 18.12.402, 18.12.407, and 18.12.416); Linux, Android, iOS, Chrome, PWA, 3CXHosted, and StartUP customers are not affected
  • ·The info stealer (third-stage payload) was only deployed in later stages against selected targets; not all compromised systems received the info stealer — it was likely used to identify interesting targets for the operators

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.