Kaspersky and Crowdstrike have discovered a supply chain attack which installed a backdoor on computers worldwide. The malware was only deployed in fewer than ten computers, and the attackers had targeted cryptocurrency companies. Crowdstrike had identified the malicious activity on 3CXDesktopApp, a communications app for corporate clients. In a small number of cases, it led to hands-on-keyboard activity.
Kaspersky reported that a DLL was used to deliver the Gopuram backdoor, while it was not the only malicious payload. Gopuram was found to coexist with the AppleJeus backdoor, believed to be attributable to the North Korean Lazarus group. The 3CX app is used by over 600,000 companies and is marketed to corporate clients.