virus logo Virus

Riskware/Sphone_XC3

description-logoAnalysis

Riskware/Sphone_XC3 is a generic detection for a compromised Application referenced as 3CX, this is synonymous to Generic PUA or Generic PUP.
Since this is a generic detection, riskware that are detected as Riskware/Sphone_XC3 may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • Files detected as Riskware/Sphone_XC3 have been associated with Sphone_XC3 outbreak.

  • Riskware/Sphone_XC3 is a compromised installer files to potentially weaken a user's security. The installers came with malicious DLLs and clean copies of the application. It will attempt to sideload the malicious DLLs eg: "d3[removed]_7.dll" and "ff[removed]g.dll" on to the user's computer.

  • The affected application may perform malicious actions such as an InfoStealer.

  • This affected application is distributed thru various OS, Mac, Windows, Linux.

  • This malware has been associated with the following third party article/advisory. 
    https://www.3cx.com/blog/news/desktopapp-security-alert/

    •  
  • Following are some of the near/exact IOCs/file hash associated with this detection:
    • Md5: 0eeb1c0133eb4d571178b2d9d14ce3e9
      Sha256: 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983
    • Md5: f3d4144860ca10ba60f7ef4d176cc736
      Sha256: aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868
    • Md5: bb915073385dd16a846dfa318afa3c19
      Sha256: dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc
    • Md5: 9833a4779b69b38e3e51f04e395674c6
      Sha256: fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405

description-logoOutbreak Alert

Security researchers observed that the threat actors abused a popular business communication software by 3CX. The reports mention that a version of the 3CX VoIP (Voice over Internet Protocol) desktop client was trojanized and is being used to attack multiple organizations.

View the full Outbreak Alert Report

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2024-01-22 92.00882
2023-11-20 91.08976
2023-10-03 91.07527
2023-06-19 91.04347
2023-05-09 91.03107
2023-05-09 91.03106
2023-05-01 91.02867
2023-04-20 91.02543
2023-04-20 91.02541
2023-04-03 91.02020
ID 10131498
Released Mar 31, 2023
Description
Updated		 Mar 30, 2023
Outbreak Alert 3CX Supply Chain Attack
Aliases Trojan:Win64/SamScissors,Trojan.Win64.DEEFFACE.A,PUA/3CXDesktopApp.AN
Platform Profile Riskware is a term for potentially unwanted or dangerous software programs that do not fall under Adware. They could be legitimate software applications that may be misused and pose possible security risks to users.