Kaspersky experts analyzed the supply chain attack carried out via the popular VoIP program 3CXDesktopApp and installed an infostealer or backdoor. During the analysis, they found a suspicious dynamic link library (DLL) on one computer, which was loaded into the infected 3CXDesktopApp.exe process.
Kaspersky experts launched an investigation into a case related to this DLL on March 21, about a week before the discovery of the supply chain attack. This DLL was used in deployments of the "Gopuram" backdoor and has been monitored by Kaspersky since 2020. Furthermore, the analysis shows that Gopuram coexists on computers that were attacked with AppleJeus. AppleJeus is one Backdoor dedicated to Korean-language threat actor Lazarus is attributed.
The BSI – Federal Office for Information Security, has now issued a warning about the app for the VoIP program 3CX Desktop. The Office has also registered that after successful installation connects to a Command and Control server (C&C server) builds up and further malware is reloaded.
Germany in the largest group
Installations of the infected 3CX software are found worldwide, however, Brazil, Germany, Italy and France have the most cases. Gopuram, on the other hand, was observed on fewer than ten computers, suggesting that attackers are highly targeted with the backdoor. The attackers appear to have a particular interest in cryptocurrency companies.
"Infostealer is not the only malicious payload deployed during the attack," explains Georgy Kucherin, security researcher in Kaspersky's Global Research and Analysis Team (GReAT). “The threat actor behind Gopuram additionally infects target computers with the full-featured, modular Gopuram backdoor. We believe Gopuram is the main implant and final payload in the attack chain. Our investigation is ongoing and we will analyze the implants used in more detail to find out more details about the toolset used in the supply chain attack.”
More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/