The adversary behind the supply chain attack targeting 3CX deployed a second-stage implant specifically singling out a small number of cryptocurrency companies.
Russian cybersecurity firm Kaspersky, which has been internally tracking the versatile backdoor under the name Gopuram since 2020, said it observed an increase in the number of infections in March 2023 coinciding with the 3CX breach.
Gopuram’s primary function is to connect to a command-and-control (C2) server and await further instructions that allow the attackers to interact with the victim’s file system, create processes, and launch as many as eight in-memory modules.
The backdoor’s links to North Korea stem from the fact that it “co-existed on victim machines with AppleJeus, a backdoor attributed to the Korean-speaking threat actor Lazarus,” detailing an attack on an unnamed crypto firm located in Southeast Asia in 2020.
The targeting of cryptocurrency companies is another telltale sign of the Lazarus Group’s involvement, given the threat actor’s recurring focus on the financial industry to generate illicit profits for the sanctions-hit nation.
Kaspersky further said it identified a C2 overlap with a server (“wirexpro[.]com”) that was previously identified as employed in an AppleJeus campaign documented by Malwarebytes in December 2022.
“As the Gopuram backdoor has been deployed to less than ten infected machines, it indicates that attackers used Gopuram with surgical precision,” the company pointed out, adding the highest infection rates have been detected in Brazil, Germany, Italy, and France.
While the attack chain discovered so far entails the use of rogue installers to distribute an information stealer (known as ICONIC Stealer), the latest findings suggest that the ultimate goal of the campaign may have been to infect targets with the full-fledged modular backdoor.
That said, it’s not known how successful the campaign has been, and if it has led to the actual theft of sensitive data or cryptocurrency. It, however, raises the possibility that ICONIC Stealer was used as a reconnaissance utility to cast a wide net and identify targets of interest for follow-on exploitation.
The development comes as BlackBerry revealed that “the initial phase of this operation took place somewhere between the end of summer and the beginning of fall 2022.”
A majority of the attack attempts, per the Canadian company, have been registered in Australia, the U.S., and the U.K., with healthcare, pharma, IT, and finance emerging as the top targeted sectors.
It’s currently unclear how the threat actor obtained initial access to the 3CX network, and if it entailed the exploitation of a known or unknown vulnerability. The compromise is being tracked under the identifier CVE-2023-29059.
Evidence collected to date indicates that the attackers poisoned 3CX’s development environment and delivered trojanized versions of the legitimate app to the company’s downstream customers in a SolarWinds or Kaseya-like supply chain attack.
One of the malicious components responsible for retrieving the info-stealer, a library named “d3dcompiler_47.dll,” has also been spotted weaponizing a 10-year-old Windows flaw (CVE-2013-3900) to incorporate encrypted shellcode without invalidating its Microsoft-issued signature.
A point worth noting here is that the same technique was adopted by a ZLoader malware campaign unearthed by Israeli cybersecurity firm Check Point Research in January 2022.
Multiple versions of the desktop app – 18.12.407 and 18.12.416 for Windows and 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 for macOS – have been impacted. 3CX has since pinned the attack on a “highly experienced and knowledgeable hacker.”
CrowdStrike has tied the incident to a North Korea-aligned nation-state group it tracks under the moniker Labyrinth Chollima, a sub-cluster within the Lazarus Group.