The hackers behind the recent large-scale supply chain attacks against VoIP provider 3CX are now specifically targeting cryptocurrency companies in a bid to empty their wallets, researchers have warned.
By distributing a Trojanized version of the VoIP solution, the attackers managed to infiltrate dozens of companies and drop various Level 2 malware onto their devices.
Now, Kaspersky cybersecurity researchers have discovered that attackers are also targeting, with high precision, no more than a dozen companies, with a unique backdoor called Gopuram.
modular tailgate
BleepingComputer describes Gopuram as a modular backdoor capable of stamping time to evade detection, injecting payload into already running processes, loading unsigned Windows drivers using the open source kernel driver utility, etc.
In fact, it was the use of Gopuram that led Kaspersky to identify the threat actor behind the entire operation as the North Korean group Lazarus.
"The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the threat actor Lazarus with medium to high confidence. We believe that Gopuram is the main implant and the final payload in the attack chain," said the researchers at Kaspersky.
Lazarus targeted fewer than ten machines with this backdoor, all of which are crypto companies, it was said. The motivation is most likely financial, the researchers suggest.
"In terms of the victims of our telemetry, installations of infected 3CX software are found worldwide, with the highest infection numbers observed in Brazil, Germany, Italy and France," the report states. "As the Gopuram backdoor was deployed on fewer than ten infected machines, this indicates that attackers used Gopuram with surgical precision. We also see that attackers have a specific interest in cryptocurrency companies."
3CX has more than 12 million daily users, with products used by more than 600.000 companies worldwide. His client list includes leading companies and organizations such as American Express, Coca-Cola, McDonald's, Air France, IKEA, the UK National Health Service and various car manufacturers including BMW, Honda, Toyota and Mercedes-Benz.
Via: BleepingComputer (Opens in a new tab)