1 year ago
64
Large-scale supply chain attack
Information security firm Kaspersky has released its own analysis of a large-scale software supply chain attack reported at the end of March that targeted a handful of cryptocurrency companies and planted backdoors. announced that it had discovered that
On March 29, multiple cybersecurity companies reported that malicious activity was confirmed in the VoIP (Internet-based voice call) desktop application of business communication software developer 3CX. It has been pointed out that certain versions of the installer (Windows and MacOS) have been tampered with and “Trojanized” their code, allowing them to be infected with information-stealing malware.
According to 3CX, its VoIP phone system has more than 12 million daily users and is used by more than 600,000 businesses worldwide. Its client list includes automakers such as Toyota, Honda and Mitsubishi, as well as many prominent companies and organizations such as American Express, Coca-Cola, McDonald’s, Air France and the UK’s National Health Service.
Kaspersky concluded that malware dubbed “Gopuram” was behind the attack after analyzing the dynamic link libraries (DLLs) contained in the infected installer files.
In 2020, when the company was investigating hacking of a Southeast Asian cryptocurrency company, it discovered that Gopuram and the backdoor “AppleJeus” used by the North Korean hacker group Lazarus coexisted on the victim’s machine. He has been tracking Gopuram ever since.
The DDL involved in this supply chain attack was said to have been used to deploy Gopuram. The number of Gopuram infections started to increase from March 2023.
Based on the relationship between Gopuram and AppleJeus, Kaspersky evaluates with medium to high confidence that the attacks targeting 3CX were caused by Lazarus.
‘Particular Interest’ in Cryptocurrency Companies
According to Kapersky’s telemetry analysis, infected 3CX software has been detected worldwide, but Brazil, Germany, Italy and France have seen the highest number of infections.
On the other hand, since Gopuram was deployed on fewer than 10 computers, Kaspersky said the attacker used “surgical precision” to target and use a backdoor. The target is a cryptocurrency company, which the attackers have a “particular interest in,” the company said.
Kaspersky security expert Georgy Kucherin commented:
Information theft wasn’t the only malicious payload deployed in the 3CX supply chain attack. The blackmailers behind Gopuram infect targeted machines with a more fully-fledged modular Gopuram backdoor. We believe Gopuram is the main implant and final payload in the attack chain.
He also said that since cryptocurrency companies are likely to be targeted, this attack should be watched closely and systems should be scrutinized for further compromises.
The post 3CX supply chain attack targets cryptocurrency companies with backdoor appeared first on Our Bitcoin News.
English (US) ·