Some of the victims affected by the 3CX supply chain attack have also had their systems backdoored with Gopuram malware, with the threat actors specifically targeting cryptocurrency companies with this additional malicious payload.
VoIP communications company by North Korean threat actors tracked as to infect the company’s customers with trojanized versions of its Windows and macOS desktop apps in a large-scale supply chain attack.
In this attack, the attackers replaced two DLLs used by the Windows desktop app with malicious versions that would download additional malware to computers, like an information-stealing trojan.
Since then, Kaspersky has discovered that the Gopuram backdoor previously used by the Lazarus hacking group against cryptocurrency companies since at least 2020, was also deployed as a second-stage payload in the same incident into the systems of a limited number of affected 3CX customers.
Gopuram is a modular backdoor that can be used by its operators to manipulate the Windows registry and services, perform file to evade detection, inject payloads into already running processes, load unsigned Windows drivers using the open-source , as well as partial user management via the net command on infected devices.
“The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence. We believe that Gopuram is the main implant and the final payload in the attack chain,” .
The number of Gopuram infections worldwide increased in March 2023, with the attackers dropping a malicious library (wlbsctrl.dll) and an encrypted shellcode payload (.TxR.0.regtrans-ms) on the systems of cryptocurrency companies impacted by the 3CX supply chain attack.
Kaspersky researchers found that the attackers used Gopuram with precision, deploying it only on less than ten infected machines, suggesting the attackers’ motivation may be financial and with a focus on such companies.
“As for the victims in our telemetry, installations of the infected 3CX software are located all over the world, with the highest infection figures observed in Brazil, Germany, Italy and France,” Kaspersky experts added.
“As the Gopuram backdoor has been deployed to less than ten infected machines, it indicates that attackers used Gopuram with surgical precision. We additionally observed that the attackers have a specific interest in cryptocurrency companies.”
Customers asked to switch to PWA web client
3CX has confirmed its 3CXDesktopApp Electron-based desktop client was compromised to include malware one day after first surfaced on March 29 and more than a week after multiple customers reported alerts that the software was being tagged as malicious by security software.
The company to uninstall the Electron desktop app from all Windows and macOS systems (a script for mass uninstalling the app across networks is available ) and to switch to the progressive web application (PWA) Web Client App.
As BleepingComputer reported days after the incident (now tracked as ) was disclosed, the threat actors behind it (CVE-2013-3900) to make it appear that the malicious DLLs used to drop additional payloads were legitimately signed.
The same vulnerability has been used to infect Windows computers capable of stealing user credentials and private information
3CX says its 3CX Phone System has over 12 million users daily and is used by over 600,000 companies worldwide.
Its includes high-profile companies and organizations like American Express, Coca-Cola, McDonald’s, Air France, IKEA, the UK’s National Health Service, and multiple automakers, including BMW, Honda, Toyota, and Mercedes-Benz.