A digitally signed, trojanized version of the 3CX Voice Over Internet Protocol (VOIP) desktop client is the target of an ongoing supply chain attack. The VoIP IPBX software development company 3CX Phone System is used by over 600,000 companies worldwide, with 12 million daily users.
The company was attacked by North Korean threat actors tracked as Lazarus Group, infecting the company’s customers with trojan-based versions of its Windows and macOS desktop apps. Attackers replaced two DLLs used by the Windows desktop app with malicious versions to download additional malware to computers.
Kaspersky has since discovered that the Gopuram backdoor, previously used by the Lazarus hacking group against cryptocurrency companies since 2020, was also deployed as a second-stage payload into a limited number of affected 3CX customers.
Some of the victims affected by the 3CX supply chain attack had their systems backdoored with Gopuram malware, specifically targeting cryptocurrency companies with this additional malicious payload. Operators use Gopuram to manipulate the Windows registry and services, evade detection, inject payloads into already running processes, load unsigned Windows drivers using the open-source Kernel Driver Utility, and partial user management via the net command on infected devices.
Kaspersky researchers found that the attackers used Gopuram with precision, deploying it only on less than ten infected machines, so the attackers’ motivation may be financial and with a focus on these companies.
3CX confirmed its 3CXDesktopApp Electron-based desktop client was compromised and alerted again more than a week after multiple customers reported alerts that the software was being tagged as malicious by security software. The company advises uninstalling the Electron desktop app from all Windows and macOS systems (available here) and switching to the progressive web application (PWA) Web Client App.
A group of security researchers developed a web-based tool to detect if a specific IP address has been potentially impacted by the supply chain attack against 3CX.
“Identification of potentially impacted parties is based on lists of IP addresses that were interacting with malicious infrastructure,” the development team explains.
The attackers exploited a 10-year-old Windows vulnerability (CVE-2013-3900) to make it appear that the malicious DLLs used to drop additional payloads were legitimately signed.
The company’s customers include American Express, Coca-Cola, McDonald’s, Air France, IKEA, the UK’s National Health Service, and such automakers as BMW, Honda, Toyota, and Mercedes-Benz.