Cybersecurity researchers have warned that the hackers responsible for the recent large-scale supply chain attacks on VoIP provider 3CX are now targeting cryptocurrency companies in a bid to steal their funds. The attackers infiltrated dozens of companies by distributing a trojanized version of the VoIP solution and placed various stage-two malware on their endpoints. Now, researchers from Kaspersky have found that the hackers have targeted no more than a dozen companies with a unique backdoor called Gopuram. This modular backdoor is capable of timestamping to evade detection, payload injection into already running processes, loading unsigned Windows drivers using the open-source Kernel Driver Utility, and more. The use of Gopuram allowed Kaspersky to identify the threat actor behind the entire operation as North Korea’s Lazarus Group.
