On March 29, a 3CX supply chain attack was reported. Kaspersky researchers analyzed available reports on this campaign and reviewed their own telemetry. On one machine, researchers observed a suspicious Dynamic Link Library (DLL) that was loaded into the infected 3CXDesktopApp.exe process.
Kaspersky experts opened an investigation into a case linked to that DLL on March 21, about a week before the supply chain attack was discove. Kaspersky investigated a supply chain attack conducted via 3CXDesktopApp, a popular VoIP program. The malware behind this attack dubbed Gopuram has been tracked internally since 2020, but the number of infections began to increase in March 2023. The recent report by Kaspersky provides an overview of the Gopuram backdoor with an observation of the latest campaign that has affected enterprises, and, particularly cryptocurrency companies around the world.
red. That DLL was used in deployments of a backdoor that was dubbed “Gopuram” and had been tracked internally since 2020. Three years ago, Kaspersky investigated an infection of a cryptocurrency company located in Southeast Asia. During the investigation, it was found that Gopuram coexisted on victim machines with AppleJeus, a backdoor attributed to the Korean-speaking threat actor Lazarus.
As for the victims in Kaspersky’s telemetry, installations of the infected 3CX software are located all over the world, with the highest infection figures observed in Brazil, Germany, Italy and France. Despite that, Gopuram has been deployed to less than ten machines, which indicates that attackers used this backdoor with surgical precision. Kaspersky additionally observed that the attackers have a specific interest in cryptocurrency companies.