The support team for 3CX, the VoIP/PBX software provider with more than 600,000 customers and 12 million daily users, was aware its desktop app was being flagged as malware, but decided to take no action for a week when it learned it was on the receiving end of a massive supply chain attack, a thread on the company’s community forum shows.
“Is anyone else seeing this issue with other A/V vendors?” one company customer asked on March 22, in a post titled “Threat alerts from SentinelOne for desktop update initiated from desktop client.” The customer was referring to an endpoint malware detection product from security firm SentinelOne. Included in the post were some of SentinelOne’s suspicions: the detection of shellcode, code injection to other process memory space, and other trademarks of software exploitation.
Is anyone else seeing this issue with other A/V vendors?
Post Exploitation
Penetration framework or shellcode was detected
Evasion
Indirect command was executed
Code injection to other process memory space during the target process’ initialization
\Device\HarddiskVolume4\Users\**USERNAME**\AppData\Local\Programs\3CXDesktopApp\3CXDesktopApp.exe
SHA1 e272715737b51c01dc2bed0f0aee2bf6feef25f1I’m also getting the same trigger when attempting to redownload the app from the web client ( 3CXDesktopApp-18.12.416.msi ).
Defaulting to trust
Other users quickly jumped in to report receiving the same warnings from their SentinelOne software. They all reported receiving the warning while running 18.0 Update 7 (Build 312) of the 3CXDesktopApp for Windows. Users soon decided the detection was a false positive triggered by a glitch in the SentinelOne product. They created an exception to allow the suspicious app to run without interference. On Friday, a day later, and again on the following Monday and Tuesday, more users reported receiving the SentinelOne warning.