Sign In with your
Trend Micro Account

若您需要技術支援,請 按此建立案件。

SECURITY ALERT: 3CX DesktopApp Compromised Installer

    • 更新於:
    • 31 Mar 2023
    • 產品/版本:
    • 作業系統:
Updated on March 31 @ 7:30AM (GMT +7) - Added infographic and additional pattern detections

On March 29, 2023, several reports of a potential security issue affecting a popular business communication installation and update package from 3CX appeared, which was later confirmed by the vendor themselves in a formal security alert.

From a very high level, affected versions of the 3CX DesktopApp application that was being provided by the vendor themselves was infected with malicious software components, and customers who either freshly installed or obtained the update through other means may have downloaded the compromised package.  

Trend Micro Research has a detailed blog - Developing Story: Information on Attacks Involving 3CX Desktop App that contains more specific detailed information on the attack itself.  


The issue was said to be limited to the Electron (non-web versions) of their Windows package (versions 18.12.407 & 18.12.416) and macOS clients (versions 18.11.1213, 18.12.402, 18.12.407 & 18.12.416).  The PWA (web-based) does not appear to be affected, and the vendor is recommending that customer migrate to this version.

This article will cover some available detections/protection of the observed components, along with updated recommendations as they become available.

Using Trend Micro Products for Investigation

The following highlights several post-exploitation detections and remediation technology that can be used by customers to investigate and help with potential remediation in a customer’s environment.

Trend Vision One™

Trend Vision One customers benefit from XDR detection capabilities of the underlying products such as Trend Micro Apex One.  The following outline some of the components of Trend Vision One that can used for investigation.

Curated Intelligence Reports

An updated Curated Intelligence Report in Trend Vision One for this campaign has been added that will automatically conduct some endpoint activity sweeping for XDR customers that have this enabled.


Mitigations, Trend Micro Protection, and Detection Against Exploitation

First and foremost, it is always highly recommended that users apply the vendor's patches when they become available and is feasible. As of now, 3CX has one of two recommendations for updating the software:

1.  Users can migrate to the PWA (web-based) version of the application. 
2.  An updated version of the Windows Electron app has been released by 3CX:  18.12.422 (macOS version is still TBD).

In addition, it is advised that customers delete any and all versions of affected installers that they may have in file repositories or other storage. 

In addition to the formal app update, Trend Micro does have some supplementary detection/protection patterns that may help provide additional protection against further potential exploits. 
Preventative Rules, Filters & Detection
Trend Micro Web Reputation Services (WRS) Protection

As outlined in our blog there are several domains that were identified as malicious Command & Control (C&C) points that impacted systems were observed to try and communicate to.  Trend Micro has blocked all of the known domains, and all of Trend Micro products that contain Web Reputation protection block communications to these domains.

Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring) for Endpoint, Servers (e.g. Apex One, Worry-Free Business Security Services, Worry-Free Business Security Standard/Advanced, Deep Security w/Anti-malware, etc.), Mail & Gateway (e.g. Cloud App Security, ScanMail for Exchange, IMSVA) Please note that detailed IOC information, including updated hashes can be found in our blog.


Additional Information

While 3CX has communicated they believe that this was part of a sophisticated targeted attack with specified targets and the vast majority of systems with evidence of malicious code were actually not infected - we believe to err on the side of caution as the situation appears to be fluid.

Cybersecurity experts, including Trend Micro Research, are continuing to monitor, investigate and apply learnings to additional recommendations for customers that believe that they may have been impacted. 
  • In addition to replacing the affected installer and removing known malicious components from networks, customers are also strongly advised to review any suspicious or irregular activity and/or communication both internally and outbound from your network.
  • If you have any reason to believe that you may have been adversely impacted, consider updating critical credentials, including but not limited to applying 2FA where applicable and changing key passwords.  

Trend Micro will continue to provide updates and additional recommendations and guidance as more information becomes available.


Remove a Malware / Virus



若您需要協助,請聯繫對應的技術支援窗口. 聯絡我們

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.