A few days ago, the international VoIP IPBX software developer 3CX disclosed that the Windows and macOS versions of its app desktop app were targeted by a supply chain attack. Recent revelations by research agencies have disclosed the involvement of the Lazarus group in this incident.
The 3CX supply chain attack
Cybersecurity firm Crowdstrike published a report on March 29, disclosing a supply chain attack targeting the VoIP program 3CXDesktopApp.
- The attack impacted Windows app versions 18.12.407 and 18.12.416, while the impacted macOS versions are 18.11.1213, 18.12.402, 18.12.407, and 18.12.416.
- The issue, identified as CVE-2023-29059, included an infected DLL library.
- Upon execution, the malicious DLL extracts the C2 server URL from a GitHub repository establishes a connection and downloads an info-stealer to steal system information and browser history.
A worldwide web
Telemetry data shared by Fortinet disclosed that the attacker-controlled infrastructure was spread across Italy (16%), Germany (14%), Austria (12%), the U.S. (11%), South Africa (7%), Australia (6%), Switzerland (5%), Canada (4%), the Netherlands (4%), and the U.K. (3%), among others.
Selective infection with second-stage payloads
Further investigation into the attack has revealed that in addition to the info-stealer, some victims were also infected with an additional second-stage implant.
- The malicious DLLs used in the 3CXDesktopApp attack were linked with Gopuram and AppleJeus backdoors that are connected to the infamous Lazarus group.
- Upon infection, Gopuram connects with the C2 server and allows the attacker to access the file system of the infected machine, create new processes, and launch eight additional modules.
- Attackers deployed Gopuram on less than 10 infected machines, mostly belonging to cryptocurrency companies in Brazil, Germany, Italy, and France.
Attribution
Researchers have attributed the recent 3CX attack to the Lazarus group with high confidence owing to several unique observations. This includes the simultaneous use of Gopuram and AppleJeus backdoor (previously used by Lazarus in 2020), pin-pointed attacks on crypto firms, and use of the domains wirexpro[.]com and oilycargo[.]com for its C2, which are already attributed to Lazarus group.
Ending notes
The involvement of Lazarus indicates that the supply chain attack on 3CX was financially motivated and that the group is further enhancing its toolset to target cryptocurrency firms. To counter such threats, experts suggest implementing a collaborative threat intelligence exchange solution that can identify and thwart attacks based on the IOCs in real time.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/cd9b_shutterstock_2023392170.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_314721575.jpg)
