3CX supply chain attack is now also hitting crypto companies
Lazarus attack is specifically targeting crypto firms
The hackers behind the recent large-scale supply chain attacks on VoIP provider 3CX are now specifically targeting cryptocurrency companies in an attempt to empty their wallets, researchers have warned.
By distributing a trojanized version of the VoIP solution, the attackers managed to infiltrate dozens of companies and place various stage-two malware on their endpoints.
Now, cybersecurity researchers from Kaspersky have found the attackers also targeted, with high precision, no more than a dozen companies, with a unique backdoor called Gopuram.
Modular backdoor
BleepingComputer describes Gopuram as a modular backdoor capable of timestomping to evade detection, payload injection into already running processes, loading unsigned Windows drivers using the open-source Kernel Driver Utility, and more.
In fact, it was the use of Gopuram that made Kaspersky identify the threat actor behind the entire operation as North Korea’s Lazarus Group.
"The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence. We believe that Gopuram is the main implant and the final payload in the attack chain," Kaspersky researchers said.
Lazarus targeted less than ten machines with this backdoor, all of which are crypto firms, it was said. The motivation is most likely financial, the researchers suggest.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
"As for the victims in our telemetry, installations of the infected 3CX software are located all over the world, with the highest infection figures observed in Brazil, Germany, Italy and France," the report reads. "As the Gopuram backdoor has been deployed to less than ten infected machines, it indicates that attackers used Gopuram with surgical precision. We additionally observed that the attackers have a specific interest in cryptocurrency companies."
3CX has more than 12 million daily users, with products used by more than 600,000 companies worldwide Its customer list includes high-profile companies and organizations like American Express, Coca-Cola, McDonald's, Air France, IKEA, the UK's National Health Service, and multiple automakers, including BMW, Honda, Toyota, and Mercedes-Benz.
- These are the best malware removal tools right now
Via: BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.