A 3CX supply chain attack that was reported on March 29 worried security professionals all over the world. Researchers from the top cyber security intelligence company, Kaspersky, examined their own telemetry and the reports that were already available on this campaign.
Kaspersky investigated the attack via 3CXDesktopApp, a popular VoIP program. They observed a suspicious Dynamic Link Library (DLL) that was loaded into the infected 3CXDesktopApp.exe process. They have identified a backdoor named “Gopuram” that was used in the attack.
Gopuram has been monitored internally since 2020, but it wasn’t until March 2023 that the incidence of infections started to rise. Further investigation revealed that AppleJeus, a backdoor attributed to the North Korean hacking group Lazarus, coexisted with Gopuram on victim computers.
3CX softwares are installed all over the world, with Brazil, Germany, Italy, and France having the highest infection rates. Gopuram has only been deployed on less than ten machines, demonstrating surgical precession from attackers.
The attackers have a specific interest in cryptocurrency companies. Georgy Kucherin, a security expert at GReAT, Kaspersky’s investigation of the 3CX campaign is ongoing and they will continue analyzing the deployed implants to find out more details about the toolset used in the supply chain attack.
Compiled by Coinbold
