Some of the victims of the 3CX supply chain attack had their systems backdoored with Gopuram malware, with threat actors targeting cryptocurrency companies, particularly with this additional malicious payload.
In a large-scale supply chain attack, North Korean threat actors known as Lazarus Group compromised VoIP communications company 3CX and infected the company's customers with trojanized versions of its Windows and macOS desktop apps.
In this attack, the attackers substituted two DLLs used by the Windows desktop app with malicious versions that would download additional malware, such as an information-stealing trojan, to computers.
Since then, Kaspersky has encountered that the Gopuram backdoor, which has been used by the Lazarus hacking group against cryptocurrency companies since at least 2020, was also deployed as a second-stage payload into the systems of a small number of impacted 3CX customers in the same incident.
Gopuram is a modular backdoor that enables its operators to modify the Windows registry and services, perform file timestomping to avoid detection, inject payloads into already running processes, load unsigned Windows drivers using the open-source Kernel Driver Utility, and perform partial user management on infected devices via the net command.
"The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence. We believe that Gopuram is the main implant and the final payload in the attack chain," Kaspersky researchers said.
In March 2023, the attackers dropped a malevolent library (wlbsctrl.dll) and an encrypted shellcode payload (.TxR.0.regtrans-ms) on the systems of cryptocurrency companies impacted by the 3CX supply chain attack, raising the global number of Gopuram infections.
Kaspersky researchers discovered that the attackers used Gopuram with precision, implementing it on fewer than ten infected machines, implying that the attackers' motivation may be financial and focused on such businesses.
"As for the victims in our telemetry, installations of the infected 3CX software are located all over the world, with the highest infection figures observed in Brazil, Germany, Italy and France," Kaspersky experts added.
"As the Gopuram backdoor has been deployed to less than ten infected machines, it indicates that attackers used Gopuram with surgical precision. We additionally observed that the attackers have a specific interest in cryptocurrency companies."
3CX has confirmed that its 3CXDesktopApp Electron-based desktop client was compromised and infected with malware one day after news of the attack broke on March 29 and more than a week after multiple customers reported alerts that the software was being flagged as malicious by security software.
Customers are now advised to uninstall the Electron desktop app from all Windows and macOS systems (a script for mass uninstalling the app across networks is available here) and to use the progressive web application (PWA) Web Client App instead. A group of security researchers has created and released a web-based tool to determine whether a specific IP address has been impacted by the March 2023 supply chain attack against 3CX.
"Identification of potentially impacted parties is based on lists of IP addresses that were interacting with malicious infrastructure," the development team explains.
According to BleepingComputer, the threat actors behind the incident (now tracked as CVE-2023-29059) exploited a 10-year-old Windows vulnerability (CVE-2013-3900) to make it appear that the malicious DLLs used to drop additional payloads were legitimately signed.
The same flaw has been used to infect Windows computers with Zloader banking malware, which is capable of stealing user credentials and personal data. According to 3CX, its 3CX Phone System is used by over 600,000 businesses worldwide and has over 12 million daily users.
Customers include American Express, Coca-Cola, McDonald's, Air France, IKEA, the United Kingdom's National Health Service, and several automakers, including BMW, Honda, Toyota, and Mercedes-Benz.
