Security News > 2023 > April > Cryptocurrency companies backdoored in 3CX supply chain attack

Some of the victims affected by the 3CX supply chain attack have also had their systems backdoored with Gopuram malware, with the threat actors specifically targeting cryptocurrency companies with this additional malicious payload. VoIP communications company 3CX was compromised by North Korean threat actors tracked as Lazarus Group to infect the company's customers with trojanized versions of its Windows and macOS desktop apps in a large-scale supply chain attack.
Kaspersky has discovered that the Gopuram backdoor previously used by the Lazarus hacking group against cryptocurrency companies since at least 2020, was also deployed as a second-stage payload in the same incident into the systems of a limited number of affected 3CX customers.
"The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence. We believe that Gopuram is the main implant and the final payload in the attack chain," Kaspersky researchers said.
The number of Gopuram infections worldwide increased in March 2023, with the attackers dropping a malicious library and an encrypted shellcode payload on the systems of cryptocurrency companies impacted by the 3CX supply chain attack.
A group of security researchers has developed and released a web-based tool to detect if a specific IP address has been potentially impacted by the March 2023 supply chain attack against 3CX. "Identification of potentially impacted parties is based on lists of IP addresses that were interacting with malicious infrastructure," the development team explains.
3CX says its 3CX Phone System has over 12 million users daily and is used by over 600,000 companies worldwide.
News URL
Related news
- North Korea targets crypto developers via NPM supply chain attack (source)
- Trojanized Game Installers Deploy Cryptocurrency Miner in Large-Scale StaryDobry Attack (source)
- Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers (source)
- China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access (source)
- GitHub supply chain attack spills secrets from 23,000 projects (source)
- Supply chain attack on popular GitHub Action exposes CI/CD secrets (source)
- Google acquisition target Wiz links fresh supply chain attack to 23K pwned GitHub repos (source)
- GitHub Action hack likely led to another in cascading supply chain attack (source)
- GitHub Action supply chain attack exposed secrets in 218 repos (source)
- Coinbase Initially Targeted in GitHub Actions Supply Chain Attack; 218 Repositories' CI/CD Secrets Exposed (source)