3CX supply chain attack is now also hitting crypto companies

News
By Sead Fadilpašić
published

Lazarus attack is specifically targeting crypto firms

Security attack
(Image credit: Shutterstock / ozrimoz)

The hackers behind the recent large-scale supply chain attacks on VoIP provider 3CX are now specifically targeting cryptocurrency companies in an attempt to empty their wallets, researchers have warned.

By distributing a trojanized version of the VoIP solution, the attackers managed to infiltrate dozens of companies and place various stage-two malware on their endpoints. 

Now, cybersecurity researchers from Kaspersky have found the attackers also targeted, with high precision, no more than a dozen companies, with a unique backdoor called Gopuram.

Modular backdoor

BleepingComputer describes Gopuram as a modular backdoor capable of timestomping to evade detection, payload injection into already running processes, loading unsigned Windows drivers using the open-source Kernel Driver Utility, and more.

In fact, it was the use of Gopuram that made Kaspersky identify the threat actor behind the entire operation as North Korea’s Lazarus Group.

Read more

> Procter & Gamble is the latest big GoAnywhere zero-day victim

> Hatch Bank says 140,000 customers had data stolen after breach

> Check out the best endpoint protection solutions right now

"The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence. We believe that Gopuram is the main implant and the final payload in the attack chain," Kaspersky researchers said.

Lazarus targeted less than ten machines with this backdoor, all of which are crypto firms, it was said. The motivation is most likely financial, the researchers suggest.

"As for the victims in our telemetry, installations of the infected 3CX software are located all over the world, with the highest infection figures observed in Brazil, Germany, Italy and France," the report reads. "As the Gopuram backdoor has been deployed to less than ten infected machines, it indicates that attackers used Gopuram with surgical precision. We additionally observed that the attackers have a specific interest in cryptocurrency companies."

3CX has more than 12 million daily users, with products used by more than 600,000 companies worldwide Its customer list includes high-profile companies and organizations like American Express, Coca-Cola, McDonald's, Air France, IKEA, the UK's National Health Service, and multiple automakers, including BMW, Honda, Toyota, and Mercedes-Benz.

Via: BleepingComputer

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.