Some of the victims of the 3CX supply chain attack had their systems backdoored with Gopuram malware, with threat actors targeting cryptocurrency companies, particularly with this additional malicious payload.
In a large-scale supply chain attack, North Korean threat actors known as Lazarus Group compromised VoIP communications company 3CX and infected the company’s customers with trojanized versions of its Windows and macOS desktop apps.
In this attack, the attackers substituted two DLLs used by the Windows desktop app with malicious versions that would download additional malware, such as an information-stealing trojan, to computers.
In this attack, the attackers substituted two DLLs used by the Windows desktop app with malicious versions that would download additional malware, such as an information-stealing trojan, to computers.
Since then, Kaspersky has encountered that the Gopuram backdoor, which has been used by the Lazarus hacking group against cryptocurrency companies since at least 2020, was also deployed as a second-stage payload into the systems of a small number of impacted 3CX customers in the same incident.
Gopuram is a modular backdoor that enables its operators to modify the Windows registry and services, perform file timestomping to avoid detection, inject payloads into already running processes, load unsigned Windows drivers using the open-source Kernel Driver Utility, and perform partial user management on infected devices via the net command.
“The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign t
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: