Pierluigi Paganini
April 04, 2023
As of Mar 22, 2023, SentinelOne observed a spike in behavioral detections of the 3CXDesktopApp, which is a popular voice and video conferencing software product.
The products from multiple cybersecurity vendors started detecting the popular software as malware suggesting that the company has suffered a supply chain attack.
SentinelOne is tracking the malicious activity as SmoothOperator, the company speculates that the threat actor behind the attack has set up its infrastructure starting as early as February 2022.
The company started distributing digitally signed Trojanized installers to its customers.
The impact of the attack could be devastating because the company claims that 3CX has 600,000 customer companies with 12 million daily users. The software is used by organizations in almost every industry, including automotive, food & beverage, hospitality, Managed Information Technology Service Provider (MSP), and manufacturing.
Researchers from Kaspersky discovered that the supply chain attack was used to deliver a backdoor tracked by the Russian firm as Gopuram. The Gopuram backdoor was first discovered by Kaspersky in 2020, but the researchers observed a surge in the number of infections in March 2023, likely coinciding with the attack on 3CX.
While investigating an attack on a Southeast Asian cryptocurrency company in 2020, the researchers noticed the presence of the AppleJeus backdoor on systems infected with Gopuram backdoor. AppleJeus is known to be a backdoor used by North Korea-linked Lazarus APT Group.
The Gopuram backdoor was employed in other attacks on organizations in the cryptocurrency industry, which is aligned with the interests of the Lazarus threat actor.
Upon executing the Gopuram backdoor, the malware connects to a C2 server and await further commands. The backdoor is able to launch at least eight in-memory modules.
“The backdoor implements commands that allow the attackers to interact with the victim’s file system and create processes on the infected machine. Gopuram was additionally observed to launch in-memory modules.” reads the analysis published by Kaspersky. “Just like the implants used in the 3CX campaign, Gopuram’s modules are DLL files that include an export function named DllGetClassObject. We have observed eight modules so far:”
The experts attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence based on the involvement of the Gopuram backdoor.
Kaspersky analyzed other implants that used the same loader shellcode as the 3CX implants, and discovered a sample on a multiscanner service loading a payload that connects to the wirexpro[.]com C2 server. The wirexpro[.]com C2 server is included in the list of IoC published in December by Malwarebytes for the AppleJeus backdoor.
Kaspersky states that the Gopuram backdoor has been deployed to less than ten infected machines, a circumstance that confirms the use of the malware in highly targeted attacks.
Installations of the tainted 3CX software were observed all over the world, most of the infections were observed in Brazil, Germany, Italy and France.
“As it turns out, the infostealer is not the only malicious payload deployed during the 3CX supply chain attack. The threat actor behind Gopuram additionally infects target machines with the full-fledged modular Gopuram backdoor. We believe that Gopuram is the main implant and the final payload in the attack chain.” concludes Kaspersky.
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:
Please nominate Security Affairs as your favorite blog.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, 3CX Supply chain)
