cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Video conferencing app Electron compromised by North Korean backdoor in legitimate executable

A popular Windows and Mac video conferencing app has been found to include a malicious backdoor in an otherwise legitimate software library.

user icon David Hollingworth
Fri, 31 Mar 2023
Video conferencing app Electron compromised by backdoor in legitimate executable
expand image

Numerous security researchers have reported the vulnerability, and the creators of the afflicted 3CXDesktopApp executable, 3CX, are working to find out how the malware was introduced into its software.

“The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via Git,” said Pierre Jourdan, 3CX’s chief information security officer. “We’re still researching the matter to be able to provide a more in-depth response later today.”

The company currently believes it has fallen victim to a state-sponsored threat actor.


“This appears to have been a targeted attack from an advanced persistent threat, perhaps even state-sponsored,” Jourdan said in a blog post, “that ran a complex supply chain attack and picked who would be downloading the next stages of their malware”.

While 3CX has remained quiet about the identity of the hacker, CrowdStrike believes the group to be Labyrinth Chollima, which has connections to the regime in North Korea.

Researchers at Rapid7 found the malicious payload dropped a suite of files, ultimately downloading code from GitHub. GitHub has since closed the account and banned the user.

Rapid7 currently suggests that users remove all versions of 3CXDesktopApp from all devices and perform a thorough search for any indicators of compromise. Rapid7’s researchers have found the malicious installer in a number of networks in the wild, and have reached out to those users to offer support.

“Several analyses have attributed the threat campaign to state-sponsored threat actors, and security firms have observed malicious activity in both Windows and Mac environments,” Rapid7 noted.

3CX is working on a new version of its app but recommends that users, in the meantime, take advantage of the company’s web offering, which remains secure.

“Not only is software component transparency critical, via, for example, SBOM disclosure, but over time, organisations will find themselves increasingly being asked for assurances, including evidence from their end users that software is developed in suitably secured environments and security best practices are followed,” said Michael White, director of solution strategy at Synopsys.

“I predict we will also see the rise of a chief product security officer as a new and critical role at many organisations, and likely similar software supply chain initiatives emerge across large enterprises to help avoid and protect against these kinds of risk.”

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.