Supply Chain Attack On Cryptocurrency Companies Targets Sophisticated 3CX Supply Chain Techniques

Rithika Biswas
Rithika Biswas April 3, 2023
Updated 2023/04/06 at 5:11 PM

As part of the supply chain attack targeting 3CX, a small number of cryptocurrency companies were explicitly targeted at a second-stage implant. According to Kaspersky, which has tracked the versatile back door under the name Gopruram since 2022, infections increased around the time of the 3CX breach in March 2023. As many as eight in-memory modules are available through Gopuram, which connects to a command and control (C2) server and awaits instructions.

The backdoor was linked to North Korea because it “coexisted on victim machines with AppleJeus, a backdoor attributed to the Korean-speaking actor Lazarus,” outlining an attack on an undisclosed crypto business in South East Asia in 2020.  The targeting of digital currency businesses is yet another indicator of the Lazarus Group’s involvement, given the threat actor’s recurring focus on the financial industry in order to create illegal income for the sanctioned nation.  Kaspersky also claimed to have discovered a C2 overlap with a server named (“wirexpro[.]com”) previously identified as being used in an AppleJeus campaign revealed by Malwarebytes in December 2022.

WordPress Supply Chain Attacks - Webguruz

The Gopuram backdoor has been deployed to less than ten infected machines, with the highest infection rests detected in Brazil, Germany, Italy & France. The attacker is using an ICONIC stealer, which may have been used to infect targets with the full-fledged modular backdoor, but its ultimate goal is unknown. It is possible that the stealer was used as a reconnaissance utility to identify targets for follow-up exploitations.

However, it is unknown how successful the campaign was, and whether it resulted in the real theft of sensitive data or cryptocurrencies. It does, however, raise the potential that the ICONIC stealer was employed as a reconnaissance tool to cast a wide net and discover targets of interest for subsequent exploitations.  BlackBerry revealed that “the initial phase of this operation occurred somewhere between the end of summer and the beginning of fall 2022.” According to the Canadian corporation, the majority of the assault attempts have been documented in Australia, the United States, and the United Kingdom, with healthcare, pharmaceutical, information technology, and finance emerging as the top targeted sectors. 

A vulnerability that is known or unknown may have been exploited by the threat actor to gain initial access to the 3CX network. A unique identifier is tracking the composure.

 

For more such updates, keep reading techinnews

Share this Article