Russian cybersecurity firm Kaspersky has identified a second-stage implant deployed by the hackers behind the recent supply chain attack on VoIP provider 3CX. The implant, known as Gopuram, was found to be targeting a small number of cryptocurrency companies. Kaspersky has been tracking Gopuram since 2020 and noted an increase in infections coinciding with the 3CX breach.
The backdoor is believed to be linked to North Korea through its co-existence on victim machines with AppleJeus, a backdoor attributed to the North Korean threat actor Lazarus Group. The targeting of cryptocurrency companies is another sign of Lazarus Group’s involvement, given its focus on the financial industry for generating illicit profits.
Although the attack chain discovered so far involves the use of rogue installers to distribute an information stealer known as ICONIC Stealer, the latest findings suggest that the campaign’s ultimate goal may have been to infect targets with the full-fledged modular backdoor.
However, it is unclear how successful the campaign has been or if it has led to the theft of sensitive data or cryptocurrency. Kaspersky points out that Gopuram has been deployed with surgical precision, infecting less than ten machines, and the highest infection rates have been detected in Brazil, Germany, Italy, and France.
Canadian company BlackBerry has revealed that the initial phase of the operation took place between the end of summer and the beginning of fall 2022, and most of the attack attempts have been registered in Australia, the U.S., and the U.K.
Healthcare, pharma, IT, and finance emerged as the top targeted sectors. Evidence suggests that the attackers poisoned 3CX’s development environment and delivered trojanized versions of the legitimate app to the company’s downstream customers in a SolarWinds or Kaseya-like supply chain attack.
The same technique has been adopted by a ZLoader malware campaign uncovered by Israeli cybersecurity firm Check Point Research in January 2022.
3CX has since pinned the attack on a “highly experienced and knowledgeable hacker,” and CrowdStrike has tied the incident to a North Korea-aligned nation-state group it tracks under the name Labyrinth Chollima, a sub-cluster within the Lazarus Group.
