Cybersecurity firm Kaspersky reported that the supply chain attack installed backdoors in computers around the world, but deployed them on fewer than 10 computers. It added that the deployment showed particular interest in cryptocurrency companies.
Cybersecurity firm Crowdstrike reported on March 29 that it had detected malicious activity on the 3CX softphone app 3CXDesktopApp. The application is sold to enterprise customers. Detected malicious activity included "beacons to actor-controlled infrastructure, deployment of second-stage payloads, and in a few cases, hands-on keystroke activity."
Kaspersky said it suspects the involvement of a North Korean-linked threat actor, Labyrinth Chollima. 3CX said of the infection: "This appears to be a targeted attack from an advanced persistent threat, possibly even state-sponsored, that runs a sophisticated supply chain attack and chooses who will download the next stage of its malware."
Kaspersky said it was already investigating a dynamic link library (DLL) found in one of the infected 3CXDesktopApp.exe files. The DLL in question has been used to deliver the Gopuram backdoor, although it wasn't the only malicious payload deployed in the attack. Kaspersky added that Gopuram has been found co-existing with the AppleJeus backdoor attributed to the North Korean Lazarus group.
Infected 3CX software has been detected around the world, with Brazil, Germany, Italy, and France seeing the highest numbers of infections. However, Kaspersky said Gopuram had been deployed on fewer than 10 computers to demonstrate "surgical precision." It has in the past found a Gopuram infection at a Southeast Asian cryptocurrency firm. Kaspersky cites the manufacturer as saying that the 3CX app is used by more than 600,000 companies, including several major brands. The infected application has DigiCert certification.
