The attacker responsible for the supply chain attack on 3CX has used a second-stage implant to specifically target a small group of cryptocurrency companies.
The Russian company Kaspersky, known for their work in cybersecurity, has been monitoring a backdoor called Gopuram since 2020. They noted a rise in the amount of infections during March 2023 which happened to coincide with the security breach involving 3CX.
The main purpose of Gopuram is to establish a link with a command-and-control server and wait for additional commands that give the attackers the ability to manipulate the victim's file system, generate processes, and activate up to eight in-memory modules.
The connection between the backdoor and North Korea comes from the fact that it was present on computers of victims alongside AppleJeus, another backdoor that is believed to be linked to Lazarus, a Korean-speaking group, who was responsible for an assault on a cryptocurrency company situated in Southeast Asia in 2020.
The fact that the Lazarus Group has been targeting cryptocurrency companies indicates their involvement, as they have a history of focusing on the financial industry in order to generate illegal profits for their country, which is currently under sanctions.
Kaspersky has discovered that there is a connection between a server called "wirexpro[.]com" and a previous cyber campaign titled "AppleJeus," which had been reported by Malwarebytes in December 2022.
The company noted that as the Gopuram backdoor has been installed on fewer than ten machines that are infected, it suggests that the attackers were very careful and precise in their use of Gopuram. Additionally, they found that Brazil, Germany, Italy, and France have experienced the greatest number of infections.
Although the attack method that has been uncovered involves utilizing unauthorized installers to disseminate a specific information stealing software called ICONIC Stealer, new revelations indicate that the underlying objective of the operation could have been to corrupt victims' systems with a comprehensive and versatile modular backdoor.
operations. It is unclear if the campaign has been effective in stealing valuable information or cryptocurrency, but it raises the question of whether ICONIC Stealer was utilized as a means of gathering intelligence on potential targets for future attacks. I am sorry, there is no paragraph provided to paraphrase. Please provide the original paragraph.
BlackBerry has announced that the first stage of this initiative occurred between late summer and early autumn of 2022.
According to the Canadian company, the highest number of attack attempts have occurred in Australia, the United States, and the United Kingdom, with the healthcare, pharmaceuticals, IT, and finance industries being the most commonly targeted.
At the moment, it is not clear how the perpetrator gained entry to the 3CX system and whether they exploited a known or unknown weakness. The breach is being monitored using a code name - CVE-2023-29059.
The available evidence suggests that the culprits contaminated the development environment of 3CX and distributed altered versions of the authentic application to its clients downstream, via a supply chain attack resembling that of SolarWinds or Kaseya.
A library called d3dcompiler_47.dll, which plays a role in obtaining the info-stealer, has been identified as the cause of a harmful element. This component has been observed utilizing an old Windows weakness (CVE-2013-3900) that is ten years old, to add encrypted shellcode without negating its signature granted by Microsoft.
It is important to mention that an Israeli cybersecurity company, Check Point Research, discovered a ZLoader malware campaign in January 2022 that utilized the same method.
Several iterations of the desktop application, including 18.12.407 and 18.12.416 for Windows and 18.11.1213, 18.12.402, 18.12.407 and 18.12.416 for macOS have been affected by a cyber attack, attributed by 3CX to an expert hacker with advanced skills and knowledge in the field of hacking.
CrowdStrike has linked the event to a group backed by North Korea that they monitor and refer to as Labyrinth Chollima, which is part of the larger Lazarus Group.