Threat Research

Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack

Securonix

Security researchers анализed a 3CX supply-chain attack and found that manipulated MSI installers of 3CXDesktopApp deliver a malicious DLL which decrypts and executes shellcode, dropping a backdoor named Gopuram along with an infostealer. Attribution points to Lazarus with medium-high confidence, with campaign activity observed worldwide and a focus on cryptocurrency companies. #Gopuram #Lazarus #AppleJeus #3CX #3CXDesktopApp

Keypoints

  • The infection is spread via 3CXDesktopApp MSI installers; an installer for macOS has also been trojanized.
  • The malicious installation package contains an infected dll library that decrypts a shellcode from the d3dcompiler_47.dll library’s overlay and executes it.
  • The decrypted payload extracts C2 server URLs from icons stored in a GitHub repository (the repository is removed).
  • The payload connects to one of the C2 servers, downloads an infostealer and starts it.
  • The infostealer collects system information and browser history, then sends it to the C2 server.
  • A backdoor named Gopuram (guard64.dll) is loaded in the infected process and comprises modular DLLs with various capabilities (e.g., Registry, Service, Timestomp, Inject) and a loader shellcode that links to C2 commands.

MITRE Techniques

  • [T1195] Supply Chain Compromise – Infection spread via manipulated 3CXDesktopApp MSI installers. ‘The infection is spread via 3CXDesktopApp MSI installers. An installer for macOS has also been trojanized.’
  • [T1140] Deobfuscate/Decode Files or Information – Decrypts a shellcode from the d3dcompiler_47.dll library’s overlay. ‘The malicious installation package contains an infected dll library that decrypts a shellcode from the d3dcompiler_47.dll library’s overlay and executes it.’
  • [T1105] Ingress Tool Transfer – Payload connects to a C2 server and downloads an infostealer. ‘The payload connects to one of the C2 servers, downloads an infostealer and starts it.’
  • [T1055] Process Injection – Guard64.dll is loaded into the infected 3CXDesktopApp.exe process to allow command execution and file-system access. ‘The backdoor implements commands that allow the attackers to interact with the victim’s file system and create processes on the infected machine.’
  • [T1574.001] DLL Search Order Hijacking – Wlbsctrl.dll is loaded on startup by the IKEEXT service via DLL hijacking. ‘The wlbsctrl.dll becomes loaded on every startup by the IKEEXT service via DLL hijacking.’
  • [T1574.002] DLL Side-Loading – ualapi.dll and ncobjapi.dll sideloaded into spoolsv.exe and svchost.exe, respectively. ‘DLLs with the names ualapi.dll and ncobjapi.dll being sideloaded into spoolsv.exe and svchost.exe, respectively.’
  • [T1112] Registry – Registry module manipulates registry keys (lists, adds, deletes and exports). ‘Registry (lists, adds, deletes and exports keys).’
  • [T1543.003] Create or Modify System Process: Windows Service – Service module manipulates Windows services (creates, lists, starts, stops, deletes). ‘Service (Manipulates (creates, lists, starts, stops and deletes) services).’
  • [T1070.006] Timestomp – The backdoor module implements timestomping on files. ‘Timestomp’
  • [T1562.001] Impair Defenses – Kernel Driver Utility to bypass driver signature enforcement. ‘Kernel Driver Utility that allows an attacker to bypass driver signature enforcement.’
  • [T1059] Command and Scripting Interpreter (Loader/Module) – A set of loader/dynamic modules (Ping, Connect, Registry, Service, Update, Net) imply command execution and remote control behaviors. ‘Nine modules so far: …’

Indicators of Compromise

  • [MD5] 9f85a07d4b4abff82ca18d990f062a84, 96d3bbf4d2cf6bc452b53c67b3f2516a – MD5 hashes linked to Gopuram components (e.g., wlbsctrl.dll, related payloads).
  • [File Path] C:WindowsSystem32configTxR.TxR.0.regtrans-ms, C:WindowsSystem32catroot2edb.chk.log – locations used by encrypted shellcode and logging artifacts.
  • [Domain] oilycargo.com, wirexpro.com – domains associated with loader shellcode/C2 activity linked to Lazarus campaigns.
  • [File Name] guard64.dll, AvBugReport.exe, wlbsctrl.dll – core modules and payloads observed in the Gopuram deployment.

Read more: https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/