Cryptocurrency companies affected by the 3CX supply chain attack are infected with the Gopuram backdoor, which delivers additional malware to targeted devices.
In March, the Lazarus Group carried out a cyberattack on 3CX, a company providing VoIP telephony services. During the campaign, the firm's clients were infected with Trojan versions of 3CX desktop applications for Windows and macOS in a large-scale attack on the supply chain.
In this attack, the attackers replaced two DLLs used by a Windows desktop application with malicious versions that downloaded trojans to steal information.
Recently, Kaspersky Lab discovered that the Gopuram backdoor, previously used by the Lazarus hacker group against crypto companies since at least 2020, has also been deployed as a stage 2 payload in attacks against 3CX clients.
Gopuram is a modular backdoor that performs the following functions:
- Manipulating the registry and Windows services;
- Changing the date of a binary file (timestomping) to avoid detection;
- Payload injection into running processes;
- Loading unsigned Windows drivers using the open source Kernel Driver Utility;
- Partial control of the infected device via the “net” command.
New Gopuram infections made it possible to attribute the attack on 3CX to the Lazarus group. Kaspersky Lab researchers believe that Gopuram is the main implant and payload of the last stage in the chain of attacks on 3CX. In March 2023, the number of Gopuram infections increased around the world: attackers delivered a malicious library (wlbsctrl.dll) and encrypted shellcode (.TxR.0.regtrans-ms) to the systems of cryptocurrency companies affected by the attack on the 3CX supply chain.
Telemetry showed that devices worldwide were infected, with the highest rates of infection observed in Brazil, Germany, Italy and France. Since the Gopuram backdoor was deployed on less than 10 infected machines, this indicates that the attacks are targeted, as well as that the attackers have a particular interest in cryptocurrency companies.