Everyday is lazarus.dayβ

Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack

2023-04-03, Kaspersky
#SmoothOperator #SupplyChain #3CXDesktopApp #Gopuram


On March 29, Crowdstrike published a report about a supply chain attack conducted via 3CXDesktopApp, a popular VoIP program. Since then, the security community has started analyzing the attack and sharing their findings. The following has been discovered so far:
- The infection is spread via 3CXDesktopApp MSI installers. An installer for macOS has also been trojanized.
- The malicious installation package contains an infected dll library that decrypts a shellcode from the d3dcompiler_47.dll library’s overlay and executes it.
- The decrypted payload extracts C2 server URLs from icons stored in a GitHub repository (the repository is removed).
- The payload connects to one of the C2 servers, downloads an infostealer and starts it.
- The infostealer collects system information and browser history, then sends it to the C2 server.
As we reviewed available reports on the 3CX attack, we began wondering if the compromise concluded with the infostealer or further implants followed. To answer that …