3CX supply chain attack is now also hitting crypto companies

Now, cybersecurity researchers from Kaspersky have found the attackers also targeted, with high precision, no more than a dozen companies, with a unique backdoor called Gopuram.

Modular backdoor

BleepingComputer describes Gopuram as a modular backdoor capable of timestomping to evade detection, payload injection into already running processes, loading unsigned Windows drivers using the open-source Kernel Driver Utility, and more.

In fact, it was the use of Gopuram that made Kaspersky identify the threat actor behind the entire operation as North Korea’s Lazarus Group.

"The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence. We believe that Gopuram is the main implant and the final payload in the attack chain," Kaspersky researchers said.

Lazarus targeted less than ten machines with this backdoor, all of which are crypto firms, it was said. The motivation is most likely financial, the researchers suggest.

"As for the victims in our telemetry, installations of the infected 3CX software are located all over the world, with the highest infection figures observed in Brazil, Germany, Italy and France," the report reads. "As the Gopuram backdoor has been deployed to less than ten infected machines, it indicates that attackers used Gopuram with surgical precision. We additionally observed that the attackers have a specific interest in cryptocurrency companies."

3CX has more than 12 million daily users, with products used by more than 600,000 companies worldwide Its customer list includes high-profile companies and organizations like American Express, Coca-Cola, McDonald's, Air France, IKEA, the UK's National Health Service, and multiple automakers, including BMW, Honda, Toyota, and Mercedes-Benz.

• These are the best malware removal tools right now

Via: BleepingComputer