A small number of the organizations compromised in the supply chain attack against 3CX not only had the main infostealer malware installed in their environments, but also a fully featured backdoor that has been seen in known intrusions by the Lazarus Group in recent years.
The backdoor is known as Gopuram and researchers from Kaspersky discovered that a handful of companies that were hit as part of the 3CX compromise were infected by Gopuram. Many of those companies are in the cryptocurrency ecosystem, which is a prime target for the Lazarus Group. The researchers have been tracking Gopuram since 2020 and have seen it used in attacks on cryptocurrency companies in the past and were able to identify its presence on some of the machines compromised through the 3CX attack by finding a specific DLL on those computers.
“As we reviewed available reports on the 3CX attack, we began wondering if the compromise concluded with the infostealer or further implants followed. To answer that question, we decided to review the telemetry we had on the campaign. On one of the machines, we observed a DLL named guard64.dll, which was loaded into the infected 3CXDesktopApp.exe process,” the Kaspersky researchers wrote in an analysis of the Gopuram backdoor.
“Interestingly enough, we opened an investigation into a case linked to that DLL on March 21, about a week before the supply chain attack was discovered. A DLL with that name was used in recent deployments of a backdoor that we dubbed ‘Gopuram’ and had been tracking internally since 2020.”
The attack on 3CX became public last week when security companies began seeing indications that the company’s voice and video calling app for Windows had been compromised. 3CX eventually disclosed that two versions of the Windows app and four versions of the macOS app had been compromised and were being used to install malicious code on victims’ machines. The early analyses of the attack found that the main payload of the compromised app was an infostealer that was collecting specific data and exfiltrating it.
But some researchers thought that there could have been another payload involved in the intrusions.
“As it turns out, the infostealer is not the only malicious payload deployed during the 3CX supply chain attack. The threat actor behind Gopuram additionally infects target machines with the full-fledged modular Gopuram backdoor. We believe that Gopuram is the main implant and the final payload in the attack chain,” the Kaspersky researchers said.
“The job of the main module is to connect to a C2 server and request commands. The backdoor implements commands that allow the attackers to interact with the victim’s file system and create processes on the infected machine. Gopuram was additionally observed to launch in-memory modules.”
Several research groups have attributed the 3CX attack to North Korean actors, specifically a group that CrowdStrike calls Labyrinth Chollima and is related to the Lazarus Group. The Kaspersky researchers said that the presence of the Gopuram backdoor leaves little doubt as to the attackers’ identity.
“The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence,” the researchers said.
“As the Gopuram backdoor has been deployed to less than ten infected machines, it indicates that attackers used Gopuram with surgical precision. We additionally observed that the attackers have a specific interest in cryptocurrency companies.”