On March 29, a 3CX supply chain attack was reported, which raised concerns among security experts worldwide. Researchers from the leading cyber security intelligence firm, Kaspersky, analyzed available reports on this campaign and reviewed their own telemetry.
Kaspersky investigated the attack via 3CXDesktopApp, a popular VoIP program. They observed a suspicious Dynamic Link Library (DLL) that was loaded into the infected 3CXDesktopApp.exe process. They have identified a backdoor named “Gopuram” that was used in the attack.
Gopuram has been tracked internally since 2020, but the number of infections began to increase in March 2023. Investigating further revealed that Gopuram coexisted on victim machines with AppleJeus, a backdoor attributed to the North Korean hacking group Lazarus.
3CX softwares are installed all over the world, with Brazil, Germany, Italy, and France having the highest infection rates. Despite this, Gopuram has only been deployed on less than ten machines, demonstrating surgical precession from attackers. Kaspersky also noted that the attackers have a specific interest in cryptocurrency companies.
Georgy Kucherin, a security expert at GReAT, Kaspersky on that “infostealer is not the only malicious payload deployed during the 3CX supply chain attack. The threat actor behind Gopuram additionally infects target machines with the fully-fledged modular Gopuram backdoor. We believe that Gopuram is the main implant and the final payload in the attack chain.”
He further added, our investigation of the 3CX campaign is ongoing and we will continue analyzing the deployed implants to find out more details about the toolset used in the supply chain attack
For more news on the crypto industry, subscribe to the Cryptotimes.
