Some of the victims affected by the 3CX supply chain attack also had their systems protected by the Gopuram malware, with threat actors specifically targeting cryptocurrency companies with this additional malicious payload.
VoIP communication company 3CX has been compromised by North Korean threat actors tracked as Lazarus Group to infect the company’s customers with trojanized versions of its Windows and macOS desktop apps in a large-scale supply chain attack.
In this attack, attackers replaced two DLLs used by the Windows desktop application with malicious versions that would download additional malware onto computers, such as an information-stealing Trojan.
Since then, Kaspersky has discovered that the Gopuram backdoor previously used by the Lazarus hacking group against cryptocurrency companies since at least 2020, was also deployed as a second-stage payload in the same incident in systems. of a limited number of affected 3CX customers.
Gopuram is a modular backdoor that can be used by its operators to manipulate Windows registry and services, execute files timestamp to evade detection, inject payloads into already running processes, load unsigned Windows drivers using open-source kernel driver utilityas well as partial user management via the net command on infected devices.
“The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the threat actor Lazarus with medium to high confidence. We believe Gopuram is the main implant and final payload in the attack chain,” Kaspersky researchers said.
The number of Gopuram infections worldwide increased in March 2023, with attackers dropping a malicious library (wlbsctrl.dll) and an encrypted shellcode payload (.TxR.0.regtrans-ms) onto the systems of security companies. cryptocurrencies impacted by the 3CX supply chain. offensive.
Kaspersky researchers found that attackers used Gopuram with precision, only deploying it to less than ten infected machines, suggesting that attackers’ motivation may be financial and focused on these companies.
“As far as the victims in our telemetry are concerned, installations of the infected 3CX software are located around the world, with the highest infection numbers seen in Brazil, Germany, Italy and France,” the authors added. Kaspersky expert.
“As the Gopuram backdoor was deployed on less than ten infected machines, this indicates that the attackers used Gopuram with surgical precision. We also observed that the attackers have a specific interest in cryptocurrency companies.”
Customers have been prompted to upgrade to the PWA web client
3CX confirmed that its 3CXDesktopApp Electron-based desktop client was compromised to include malware a day later news of the attack first surfaced on March 29 and more than a week after several customers reported alerts that the software was marked as malicious by security software.
The company now advises clients to uninstall the Electron desktop application from all Windows and macOS systems (a script for mass uninstallation of the application on networks is available here) and to switch to the Progressive Client Web Application (PWA).
As BleepingComputer reported a few days after the incident (now tracked as CVE-2023-29059) has been leaked, the threat actors behind exploited a 10-year-old Windows vulnerability (CVE-2013-3900) to give the impression that malicious DLLs used to drop additional payloads have been legitimately signed.
The same vulnerability was used to infect Windows computers with Zloader banking malware capable of stealing user credentials and private information
3CX claims that its 3CX Phone System has over 12 million daily users and is used by over 600,000 businesses worldwide.
It is customer list includes leading companies and organizations like American Express, Coca-Cola, McDonald’s, Air France, IKEA, UK’s National Health Service and several car manufacturers including BMW, Honda, Toyota and Mercedes-Benz.