Lazarus Group Suspected in 3CX Breach as Second-Stage Backdoor Discovered
April 3, 2023
The cyberattack on 3CX's VoIP desktop application, which led to the distribution of information-stealing software to the company's customers, is believed to have been carried out by the Lazarus Group. Researchers from Kaspersky have discovered a second-stage backdoor, dubbed Gopuram, on systems running compromised versions of the 3CX DesktopApp. The backdoor contains multiple modules that threat actors can use to exfiltrate data, install additional malware, and interact directly with victim systems. Some security researchers now say that the attackers may have exploited a 10-year-old Windows vulnerability (CVE-2013-3900).
Kaspersky identified Gopuram as a backdoor it has been tracking since at least 2020 when it found it installed on a system belonging to a cryptocurrency company in Southeast Asia. At that time, the backdoor was installed alongside another backdoor called AppleJeus, attributed to North Korea's prolific Lazarus Group. In a blog post on April 3, Kaspersky concluded that the attack on 3CX was very likely the work of the same group. "The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence," Kaspersky said.
According to Kaspersky researcher Georgy Kucherin, the purpose of the Gopuram backdoor is to conduct cyber espionage. "Gopuram is a second-stage payload dropped by the attackers" to spy on target organizations, he says. The discovery of the second-stage malware adds another layer to the attack on 3CX, a provider of videoconferencing, PBX, and business communication apps for Windows, macOS, and Linux systems. The company claims that over 600,000 organizations worldwide, with more than 12 million daily users, currently use its 3CX DesktopApp.
On March 30, 3CX CEO Nick Galea and CISO Pierre Jourdan confirmed that attackers had compromised certain Windows and macOS versions of the software to distribute malware. This disclosure came after several security vendors reported observing suspicious activity associated with legitimate, signed updates of the 3CX DesktopApp binary. Investigations showed that the Lazarus Group had compromised two dynamic link libraries (DLLs) in the application's installation package and added malicious code to them. The weaponized apps ended up on user systems via automatic updates from 3CX and manual updates.
Multiple security researchers have noted that only an attacker with a high level of access to 3CX's development or build environment would have been able to introduce malicious code to the DLLs and remain undetected. 3CX has hired Mandiant to investigate the incident and has said it will release more details once it has all the information. The Lazarus Group is also believed to have used a 10-year-old bug (CVE-2013-3900) to add malicious code to a Microsoft DLL without invalidating the signature.
Brigid O’Gorman, senior intelligence analyst with Symantec's Threat Hunter team, says their researchers did see the 3CX attackers appending data to the end of a signed Microsoft DLL. "It worth noting that what gets added to the file is encrypted data that needs something else to turn it into malicious code," O'Gorman says. In this case, the 3CX application sideloads the ffmpeg.dll file, which reads the data appended to the end of the file and then decrypts it into code that calls out to an external command-and-control (C2) server. O'Gorman advises organizations to apply Microsoft's patch for CVE-2013-3900 if they have not already done so. Notably, organizations that might have patched the vulnerability when Microsoft first issued an update for it would need to do so again if they have Windows 11, as the newer OS undid the effect of the patch.
Related News
- 3CX Supply Chain Hack: Europe, North America, and Australia Most Affected
- 10-Year-Old Windows Vulnerability Exploited in 3CX Attack
Latest News
- CISA Issues Warning on Zimbra Bug Exploited in NATO Country Attacks
- 3CX Supply Chain Hack: Europe, North America, and Australia Most Affected
- 10-Year-Old Windows Vulnerability Exploited in 3CX Attack
- Russian Hackers Exploit Zimbra Flaw to Access NATO Emails
- Microsoft Fixes 'Hazardous' RCE Vulnerability in Azure Cloud Service
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.