Crowdstrike and Kaspersky found an infection in a communications app that delivered a backdoor but said it had been deployed only a few times.
A supply chain attack installed a backdoor in computers around the world but has only been deployed in fewer than 10 computers, cybersecurity company Kaspersky has reported. The deployments showed a particular interest in cryptocurrency companies, it added.
Cybersecurity company Crowdstrike reported on March 29 that it has identified malicious activity on the 3CX softphone app 3CXDesktopApp. The app is marketed to corporate clients. The malicious activity detected included “beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity.”
Kaspersky said it suspected the involvement of the North Korea-linked threat actor Labyrinth Chollima. 3CX said of the infection:
“This appears to have been a targeted attack from an Advanced Persistent Threat, perhaps even state sponsored, that ran a complex supply chain attack and picked who would be downloading the next stages of their malware.”
Kaspersky was already investigating a dynamic link library (DLL) found in one of the infected 3CXDesktopApp.exe files, it said. The DLL in question had been used to deliver the Gopuram backdoor, although it was not the only malicious payload deployed in the attack. Gopuram has been found to coexist with the AppleJeus backdoor attributed to the North Korean Lazarus group, Kaspersky added.
Related: North Korean hackers are pretending to be crypto VCs in new phishing scheme — Kaspersky
Infected 3CX software has been detected around the world, with highest infection figures in Brazil, Germany, Italy and France. Gopuram has been deployed in fewer than ten computers, however, in a display of “surgical precision,” Kaspersky said. It had found a Gopuram infection in a Southeast Asian cryptocurrency company in the past.
If you are looking for a comprehensive overview of the current #3CX supply chain attack, I created a diagram that shows the attack flow!I’ll update as soon as the analysis progresses. Stay tuned for the MacOS edition! #cybersecurity #infosec #supplychainattack #3CXpocalypse pic.twitter.com/ANVLCgExmU
— Thomas Roccia (@fr0gger_) March 31, 2023
The 3CX app is used by over 600,000 companies, including several major brands, Kapersky said, citing the maker. The infected app had DigiCert certification.
Magazine: 4 out of 10 NFT sales are fake: Learn to spot the signs of wash trading