Massive 3CX Supply-Chain Attack Let Hackers Inject Backdoor on Crypto Firms

Researchers from Kaspersky Labs uncovered a new wave of 3CX supply chain attacks targeting cryptocurrency companies to implant Gopuram.

A supply chain attack previously reported has been conducted via 3CXDesktopApp, a popular VoIP program and desktop client that allows users to Make calls, send voice messages, chat, schedule a video conference, and more.

So far, 3CX supply chain attacks known for Spread infection via 3CXDesktopApp MSI installers, decrypted payload extracts C2 server URLs, download an info stealer from C2 and collects system information and browser history sent to C2.

To dig deeper, researchers reviewed the telemetry and found a DLL named guard64.dll, loaded into the infected 3CXDesktopApp.exe process.

Is Lazarus Threat Actors Behind it?

Based on the activities and the evidence collected during the investigation, researchers believe the backdoor is attributed to the Korean-speaking threat actor Lazarus.

During the earlier analysis, the Gopuram backdoor was found on victim machines with AppleJeus, which infected the cryptocurrency company in Southeast Asia.

In another fact, The Gopuram backdoor has been observed in attacks on cryptocurrency companies, which is aligned with the interests of the Lazarus threat actor.

Also, researchers found loader shellcode used in 3CX and AppleJeus, concluding that this Gopuram backdoor has a strong attribution with the Lazarus threat group.

Gopuram Backdoor Technical Analysis

While analyzing the telemetry data, researchers found a DLL named guard64.dll loaded into the weaponized 3CXDesktopApp.exe process and the same DLL observed in the recent backdoor deployment dubbed as “Gopuram.” that was linked with AppleJeus.

Since 2020, the Gopuram backdoor has infected a few victims, and a recent spike was observed in March 2023. It found that the backdoor was directly linked with the 3CX supply chain attack that predominantly targeted cryptocurrency companies.

Initially, threat actors dropped the following files on the infected machines.

• C:Windowssystem32wlbsctrl.dll, a malicious library (MD5: 9f85a07d4b4abff82ca18d990f062a84);
• C:WindowsSystem32configTxR<machine hardware profile GUID>.TxR.0.regtrans-ms, an encrypted shellcode payload.

The Kaspersky report states, “Once dropped, wlbsctrl.dll becomes loaded on every startup by the IKEEXT service via DLL hijacking. We further saw DLLs with the names ualapi.dll and ncobjapi.dll being sideloaded into spoolsv.exe and svchost.exe, respectively.”

To make the analysis more difficult, attackers are tricky letting decryption perform through the CryptUnprotectData API function that uses a different encryption key for every machine that won’t let researchers decrypt the payload without having physical access.

A Library wlbsctrl.dll library is responsible for decrypting and executing the shellcode, and also, the compound loaded by this library is Gopuram’s main module. Its job is to connect to a C2 server and request commands.

Once the backdoor successfully takes its place, it implements commands that allow the attackers to interact with the victim’s file system and create processes on the infected machine. 

As for the victims in our telemetry, installations of the infected 3CX software are located worldwide, with the highest infection figures observed in Brazil, Germany, Italy, and France. Researchers said.

Indicators of compromise

MD5 hashes
9f85a07d4b4abff82ca18d990f062a84

96d3bbf4d2cf6bc452b53c67b3f2516a

Network Security Checklist – Download Free E-Book

Related Read:

PHP Supply Chain Attack – Critical Vulnerability in PHP Central Component

Russian Government Websites Hacked in a Supply Chain Attack

How Do You Defend Against Software Supply Chain Attacks?

North Korean APT Actor Lazarus Attacks Defense Industry, Develops Supply Chain Attack Capabilities