VoIP communications company 3CX was hacked this Wednesday night, distributing Windows applications containing Trojan horses in a massive supply chain attack.
The hackers exploited a 10-year-old Windows vulnerability in this attack, and the executable file looked like it had been legitimately signed. And to make matters worse, Microsoft removed the patch from Win11.
Microsoft released the patch a long time ago, but it was not mandatory for devices to install it, it was still an “optional update”.
The hacker replaced two DLLs used by Windows desktop applications, and once the device runs these malicious applications, it will download other malware such as information-stealing Trojans.
The report that one of the DLL files is a legitimate DLL signed by Microsoft: d3dcompiler_47.dll, but the hackers modified the DLL to include an encrypted malicious load at the end of the file.
While the device runs this malware, the Windows system still shows that it is officially signed by Microsoft.
Microsoft first disclosed this vulnerability on December 10, 2013, and explained that the vulnerability could add content to the CAPTCHA signature portion of the EXE (WIN_CERTIFICATE structure) in a signed executable file that would not invalidate the signature.