Crypto Firms Are Likely Target for 3CX Attacks

Written by

A recently discovered supply chain attack linked to North Korea was most likely devised to target cryptocurrency firms with backdoor malware, according to Kaspersky.

It was thought that the sophisticated multi-stage campaign was designed to drop an infostealer on targeted organizations. However, the Russian AV vendor has linked backdoor malware dubbed “Gopuram,” which it has been tracking since 2020, to the attacks.

This both confirms the likely attack group as North Korea’s Lazarus and changes the suspected end goal of the attackers from cyber-espionage to theft of digital currency.

“While investigating an attack on a Southeast Asian cryptocurrency company in 2020, we found Gopuram co-existing on the same machine with the AppleJeus backdoor, which is attributed to Lazarus,” Kaspersky wrote in a blog post.

“Over the years, we observed few victims compromised with Gopuram, but the number of infections began to increase in March 2023. As it turned out, the increase was directly related to the 3CX supply chain attack.”

Read more on North Korean crypto attacks: UN Links North Korea to $281m Crypto Exchange Heist.

The modular backdoor is introduced in the 3CX attack, as is the infostealer, as a second-stage payload via DLL sideloading. It is used to perform a variety of actions on affected machines, including manipulating the Windows registry and services, performing timestomping on files and injecting payloads into processes.

According to Kaspersky, the backdoor has been deployed to less than 10 machines thus far, indicating a highly targeted campaign focused specifically on cryptocurrency firms.

“We believe that Gopuram is the main implant and the final payload in the attack chain. Our investigation of the 3CX campaign is still far from complete,” Kaspersky concluded. “We will continue analyzing the deployed implants to find out more details about the toolset used in the supply chain attack.”

North Korean state hackers have been targeting crypto firms for many years and are suspected of stealing billions of dollars to help fund the country’s nuclear weapons program.

What’s hot on Infosecurity Magazine?