Cybersecurity researchers have warned that the hackers responsible for the recent large-scale supply chain attacks on VoIP provider 3CX are now targeting cryptocurrency companies in a bid to steal their funds. The attackers infiltrated dozens of companies by distributing a trojanized version of the VoIP solution and placed various stage-two malware on their endpoints. Now, researchers from Kaspersky have found that the hackers have targeted no more than a dozen companies with a unique backdoor called Gopuram. This modular backdoor is capable of timestamping to evade detection, payload injection into already running processes, loading unsigned Windows drivers using the open-source Kernel Driver Utility, and more. The use of Gopuram allowed Kaspersky to identify the threat actor behind the entire operation as North Korea’s Lazarus Group.
The Lazarus Group targeted less than ten machines with this backdoor, all of which were crypto firms. The motivation for the attacks is believed to be financial gain. According to the researchers, “As for the victims in our telemetry, installations of the infected 3CX software are located all over the world, with the highest infection figures observed in Brazil, Germany, Italy, and France. As the Gopuram backdoor has been deployed to less than ten infected machines, it indicates that attackers used Gopuram with surgical precision. We additionally observed that the attackers have a specific interest in cryptocurrency companies.”
3CX has more than 12 million daily users, with its products used by over 600,000 companies worldwide. Its customer list includes high-profile companies and organizations like American Express, Coca-Cola, McDonald’s, Air France, IKEA, the UK’s National Health Service, and multiple automakers such as BMW, Honda, Toyota, and Mercedes-Benz.
