Security News > 2023 > April > Cryptocurrency companies backdoored in 3CX supply chain attack

Some of the victims affected by the 3CX supply chain attack have also had their systems backdoored with Gopuram malware, with the threat actors specifically targeting cryptocurrency companies with this additional malicious payload. VoIP communications company 3CX was compromised by North Korean threat actors tracked as Lazarus Group to infect the company's customers with trojanized versions of its Windows and macOS desktop apps in a large-scale supply chain attack.

Kaspersky has discovered that the Gopuram backdoor previously used by the Lazarus hacking group against cryptocurrency companies since at least 2020, was also deployed as a second-stage payload in the same incident into the systems of a limited number of affected 3CX customers.

"The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence. We believe that Gopuram is the main implant and the final payload in the attack chain," Kaspersky researchers said.

The number of Gopuram infections worldwide increased in March 2023, with the attackers dropping a malicious library and an encrypted shellcode payload on the systems of cryptocurrency companies impacted by the 3CX supply chain attack.

A group of security researchers has developed and released a web-based tool to detect if a specific IP address has been potentially impacted by the March 2023 supply chain attack against 3CX. "Identification of potentially impacted parties is based on lists of IP addresses that were interacting with malicious infrastructure," the development team explains.

3CX says its 3CX Phone System has over 12 million users daily and is used by over 600,000 companies worldwide.

News URL

https://www.bleepingcomputer.com/news/security/cryptocurrency-companies-backdoored-in-3cx-supply-chain-attack/