Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack

On March 29, Crowdstrike published a report about a supply chain attack conducted via 3CXDesktopApp, a popular VoIP program. Since then, the security community has started analyzing the attack and sharing their findings. The following has been discovered so far:

  • The infection is spread via 3CXDesktopApp MSI installers. An installer for macOS has also been trojanized.
  • The malicious installation package contains an infected dll library that decrypts a shellcode from the d3dcompiler_47.dll library’s overlay and executes it.
  • The decrypted payload extracts C2 server URLs from icons stored in a GitHub repository (the repository is removed).

Read more…
Source: Kaspersky