lazarusholic

Everyday is lazarus.dayβ

Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack

2023-04-03, Kaspersky
https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/
#SmoothOperator #SupplyChain #3CXDesktopApp #Gopuram

Contents

On March 29, Crowdstrike published a report about a supply chain attack conducted via 3CXDesktopApp, a popular VoIP program. Since then, the security community has started analyzing the attack and sharing their findings. The following has been discovered so far:
- The infection is spread via 3CXDesktopApp MSI installers. An installer for macOS has also been trojanized.
- The malicious installation package contains an infected dll library that decrypts a shellcode from the d3dcompiler_47.dll library’s overlay and executes it.
- The decrypted payload extracts C2 server URLs from icons stored in a GitHub repository (the repository is removed).
- The payload connects to one of the C2 servers, downloads an infostealer and starts it.
- The infostealer collects system information and browser history, then sends it to the C2 server.
As we reviewed available reports on the 3CX attack, we began wondering if the compromise concluded with the infostealer or further implants followed. To answer that …

IoC

933508a9832da1150fcfdbc1ca9bc84c
96d3bbf4d2cf6bc452b53c67b3f2516a
9f85a07d4b4abff82ca18d990f062a84
F684E10FF1FFCDD32C62E73A11382896
ec3f99dd7d9dbce8d704d407b086e84f
http://oilycargo.com
http://wirexpro.com