3CX Breach Widens as Cyberattackers Drop Second-Stage Backdoor
"Gopuram" is a backdoor that North Korea's Lazarus Group has used in some campaigns dating back to 2020, some researchers say.
April 3, 2023
The threat actor — believed to be the Lazarus Group — that recently compromised 3CX's VoIP desktop application to distribute information-stealing software to the company's customers has also dropped a second-stage backdoor on systems belonging to a small number of them.
The backdoor, called "Gopuram," contains multiple modules that the threat actors can use to exfiltrate data; install additional malware; start, stop, and delete services; and interact directly with victim systems. Researchers from Kaspersky spotted the malware on a handful of systems running compromised versions of 3CX DesktopApp.
Meanwhile, some security researchers now say that their analysis shows the threat actors may have exploited a 10-year-old Windows vulnerability (CVE-2013-3900).
Gopuram: Known Backdoor Linked to Lazarus
Kaspersky identified Gopuram as a backdoor it has been tracking since at least 2020 when the company found it installed on a system belonging to a cryptocurrency company in Southeast Asia. The researchers at that time found the backdoor installed on a system alongside another backdoor called AppleJeus, attributed to North Korea's prolific Lazarus Group.
In a blog post on April 3, Kaspersky concluded that the attack on 3CX was, therefore, also very likely the work of the same outfit. "The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence," Kaspersky said.
Kaspersky researcher Georgy Kucherin says the purpose of the backdoor is to conduct cyber espionage. "Gopuram is a second-stage payload dropped by the attackers" to spy on target organizations, he says.
Kaspersky's discovery of second-stage malware adds another wrinkle to the attack on 3CX, a provider of videoconferencing, PBX, and business communication app for Windows, macOS, and Linux systems. The company has claimed that some 600,000 organizations worldwide — with more than 12 million daily users — currently use its 3CX DesktopApp.
A Major Supply Chain Compromise
On March 30, 3CX CEO Nick Galea and CISO Pierre Jourdan confirmed that attackers had compromised certain Windows and macOS versions of the software to distribute malware. The disclosure came after several security vendors reported observing suspicious activity associated with legitimate, signed updates of the 3CX DesktopApp binary.
Their investigations showed that a threat actor — now identified as the Lazarus Group — had compromised two dynamic link libraries (DLLs) in the application's installation package added malicious code to them. The weaponized apps ended on user systems via automatic updates from 3CX and also via manual updates.
Once on a system, the signed 3CX DesktopApp executes the malicious installer, which then initiates a series of steps that ends with an information-stealing malware getting installed on the compromised system. Multiple security researchers have noted that only an attacker with a high level of access to 3CX's development or build environment would have been able to introduce malicious code to the DLLs and get away unnoticed.
3CX has hired Mandiant to investigate the incident and has said it will release more details of what exactly transpired once it has all the details.
Attackers Exploited a 10-Year-Old Windows Flaw
Lazarus Group also apparently used a 10-year-old bug to add malicious code to a Microsoft DLL without invalidating the signature.
In its 2103 vulnerability disclosure, Microsoft had described the flaw as giving attackers a way to add malicious code to a signed executable without invalidating the signature. The company's update for the issue changed how binaries signed with Windows Authenticode are verified. Basically, the update ensured that if someone made changes to an already signed binary, Windows would no longer recognize the binary as signed.
In announcing the update back then, Microsoft also made it an opt-in update, meaning users didn't have to apply the update if they had concerns about the stricter signature verification causing problems in situations where they might have made custom changes to installers.
"Microsoft was reluctant, for a time, to make this patch official," says Jon Clay, vice president of threat intelligence at Trend Micro. "What is being abused by this vulnerability, in essence, is a scratch-pad space at the end of the file. Think of it like a cookie flag that many applications have been allowed to use, like some Internet browsers."
Brigid O’Gorman, senior intelligence analyst with Symantec's Threat Hunter team, says the company's researchers did see the 3CX attackers appending data to the end of a signed Microsoft DLL. "It worth noting that what gets added to the file is encrypted data that needs something else to turn it into malicious code," O'Gorman says. In this case, the 3CX application sideloads the ffmpeg.dll file, which reads the data appended to the end of the file and then decrypts it into code that calls out to an external command-and-control (C2) server, she notes.
“I think the best advice for organizations at the moment would be to apply Microsoft's patch for CVE-2013-3900 if they have not already done so," O'Gorman says.
Notably, organizations that might have patched the vulnerability when Microsoft first issued an update for it would need to do so again if they have Windows 11. That's because the newer OS undid the effect of the patch, Kucherin and other researchers say.
"CVE-2013-3900 was used by the second-stage DLL in an attempt to hide from security applications that only check against a digital signature for validity," Clay says. Patching would help security products flag the file for analysis, he notes.
William Dormann, senior vulnerability analyst at Analygence says the attackers in the 3CX incident used CVE-2013-3900 to plant shellcode in a digitally signed binary and banked on the malware slipping past analysts because it was digitally signed. "Users who have applied the mitigation for CVE-2013-3900 would not have been protected in any way whatsoever against the 3CX malware on an otherwise default configuration of Windows," he says. No Windows platform includes a fix for CVE-2013-3900 at this point in time. It remains strictly optional. He also notes that with GitHub taking down the payload files attackers had stored on it, there's nothing more users can do to protect against the threat.
A Microsoft spokesman said an attacker would be able to add code to a signed DLL only if they had already compromised the code via a third-party. "As a best practice, we encourage customers to apply all the latest security updates for better protection," the spokesman said.
"In addition, Defender for Endpoint and Microsoft Defender antivirus can detect and block the domains and files involved with this threat," the spokesman added. Microsoft did not directly address a Dark Reading question on why the company had decided to make the fix for CVE-2013-3900. Instead, the spokesman pointed to Microsoft's original security advisory on the bug. "Regarding CVE-2013-3900 updates specifically, we recommend customers assess their system environment and follow the steps and suggested actions outlined in the security advisory," the spokesman said.
This story was updated on 04/04 to include comments from Microsoft and analyst Will Dormann.
About the Author
You May Also Like