A supply chain attack installed a backdoor on computers around the world, but it has only been deployed on fewer than 10 computers, cybersecurity firm Kaspersky has reported. The deployments showed particular interest in cryptocurrency companies, he added.
Cybersecurity company Crowdstrike reported on March 29 that it had identified malicious activity on the 3CX softphone application 3CXDesktopApp. The application is aimed at corporate clients. Malicious activity detected included “beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, manual keyboard activity.”
Kaspersky said it suspected the involvement of North Korea-linked threat actor Labyrinth Chollima. 3CX referred to the infection:
“This appears to have been a targeted attack by an Advanced Persistent Threat, perhaps even state-sponsored, which executed a complex supply chain attack and chose who would download the next stages of its malware.”
Kaspersky was already investigating a dynamic link library (DLL) found in one of the infected 3CXDesktopApp .exe files, it said. The DLL in question had been used to distribute the Gopuram backdoor, although it was not the only malicious payload deployed in the attack. Gopuram has been found to co-exist with the AppleJeus backdoor attributed to the North Korean group Lazarus, Kaspersky added.
Infected 3CX software has been detected worldwide, with the highest infection numbers in Brazil, Germany, Italy and France. However, Gopuram has been deployed on fewer than 10 computers, in a display of “surgical precision,” Kaspersky said. In the past, I had already encountered a Gopuram infection at a Southeast Asian cryptocurrency company.
If you are looking for a comprehensive overview of the current #3CX supply chain attack, I created a diagram that shows the attack flow! I’ll update as soon as the analysis progresses. Stay tuned for the MacOS edition! #cybersecurity #infosec #supplychainattack #3CXpocalypse pic.twitter.com/ANVLCgExmU
—Thomas Roccia (@fr0gger_) March 31, 2023
The 3CX app is used by more than 600,000 companies, including several big brands, Kapersky said, citing the manufacturer. The infected app was DigiCert certified.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information presented here should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Keep reading:
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the entire amount invested may be lost. The services or products offered are not directed or accessible to investors in Spain.