Cryptocurrency companies backdoored in 3CX supply chain attack

Some of the victims affected by the 3CX supply chain attack have also had their systems backdoored with Gopuram malware, with the threat actors specifically targeting cryptocurrency companies with this additional malicious payload.

VoIP communications company 3CX was compromised by North Korean threat actors tracked as Lazarus Group to infect the company's customers with trojanized versions of its Windows and macOS desktop apps in a large-scale supply chain attack.

In this attack, the attackers replaced two DLLs used by the Windows desktop app with malicious versions that would download additional malware to computers, like an information-stealing trojan.

Since then, Kaspersky has discovered that the Gopuram backdoor previously used by the Lazarus hacking group against cryptocurrency companies since at least 2020, was also deployed as a second-stage payload in the same incident into the systems of a limited number of affected 3CX customers.

Gopuram is a modular backdoor that can be used by its operators to manipulate the Windows registry and services, perform file timestomping to evade detection, inject payloads into already running processes, load unsigned Windows drivers using the open-source Kernel Driver Utility, as well as partial user management via the net command on infected devices.

"The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence. We believe that Gopuram is the main implant and the final payload in the attack chain," Kaspersky researchers said.

The number of Gopuram infections worldwide increased in March 2023, with the attackers dropping a malicious library (wlbsctrl.dll) and an encrypted shellcode payload (.TxR.0.regtrans-ms) on the systems of cryptocurrency companies impacted by the 3CX supply chain attack.

Kaspersky researchers found that the attackers used Gopuram with precision, deploying it only on less than ten infected machines, suggesting the attackers' motivation may be financial and with a focus on such companies.

"As for the victims in our telemetry, installations of the infected 3CX software are located all over the world, with the highest infection figures observed in Brazil, Germany, Italy and France," Kaspersky experts added.

"As the Gopuram backdoor has been deployed to less than ten infected machines, it indicates that attackers used Gopuram with surgical precision. We additionally observed that the attackers have a specific interest in cryptocurrency companies."

There are multiple facts indicating that the threat actor behind 3CX and Gopuram is Lazarus. For example, we observed Gopuram to be deployed together with AppleJeus, a backdoor attributed to Lazarus. Also, Lazarus is known to have a specific interest in cryptocurrency companies.

— Georgy Kucherin (@kucher1n) April 3, 2023

Customers asked to switch to PWA web client

3CX has confirmed its 3CXDesktopApp Electron-based desktop client was compromised to include malware one day after news of the attack first surfaced on March 29 and more than a week after multiple customers reported alerts that the software was being tagged as malicious by security software.

The company now advises customers to uninstall the Electron desktop app from all Windows and macOS systems (a script for mass uninstalling the app across networks is available here) and to switch to the progressive web application (PWA) Web Client App.

A group of security researchers has developed and released a web-based tool to detect if a specific IP address has been potentially impacted by the March 2023 supply chain attack against 3CX.

"Identification of potentially impacted parties is based on lists of IP addresses that were interacting with malicious infrastructure," the development team explains.

As BleepingComputer reported days after the incident (now tracked as CVE-2023-29059) was disclosed, the threat actors behind it exploited a 10-year-old Windows vulnerability (CVE-2013-3900) to make it appear that the malicious DLLs used to drop additional payloads were legitimately signed.

The same vulnerability has been used to infect Windows computers with Zloader banking malware capable of stealing user credentials and private information

3CX says its 3CX Phone System has over 12 million users daily and is used by over 600,000 companies worldwide.

Its customer list includes high-profile companies and organizations like American Express, Coca-Cola, McDonald's, Air France, IKEA, the UK's National Health Service, and multiple automakers, including BMW, Honda, Toyota, and Mercedes-Benz.