Threat Actors Drops Malware Backdoor from 3CX Attack

  |  Source: 
Financial Services

Threat Actors Drops Malware Backdoor from 3CX Attack

Category: Threat Actor Activity | Industry: Financial Services | Level: Tactical | Source: Kaspersky

Kaspersky researchers have identified a malware backdoor dubbed "Gopuram" that was dropped by threat actors abusing the 3CXDesktopApp application, which was affected by the recent 3CX supply chain compromise. The researchers had been tracking Gopuram malware for the past few years and noticed an uptick in March coinciding with the 3CX supply chain attack. The leading suspect behind the 3CX campaign is the North Korean-aligned threat group known as Lazarus group (aka Labyrinth Chollima), and the Gopuram backdoor appears to have been used specifically to target cryptocurrency organizations.

The attack starts with the 3CXDesktopApp MSI installer, but different DLL files and shellcode payloads are used to create a malware backdoor deviating from the initial endgame of 3CX attacks, which was browser information-stealing malware. The Gopuram backdoor is designed in a modular way, allowing its operators to manipulate various aspects of a Windows system. These capabilities include modifying the Windows registry and services, carrying out file timestomping to avoid detection, injecting payloads into running processes, loading unsigned Windows drivers using the open-source Kernel Driver Utility, and partially managing users on infected devices using the net command.

According to Kaspersky's report, "installations of the infected 3CX software are located all over the world, with the highest infection figures observed in Brazil, Germany, Italy and France. As the Gopuram backdoor has been deployed to less than ten infected machines, it indicates that attackers used Gopuram with surgical precision." Developments from the 3CX campaign are continuing to evolve, with Kaspersky's analysis identifying infostealers as not the only payload dropped in the attack.

Anvilogic Scenario:

  • 3CX Attack Chain

Anvilogic Use Cases:

  • MSIExec Install MSI File
  • 3CXDesktopApp.exe Execution
  • Stored Credentials from Web Browsers - Windows

Get trending threats published weekly by the Anvilogic team.

Sign Up Now