Emerging evidence suggests the hackers who tampered with the 3CX app to deliver malware did so to infiltrate cryptocurrency companies, according to antivirus provider Kaspersky.
Kaspersky today published a report(Opens in a new window) examining a backdoor the hackers were selectively distributing to computers installed with the hijacked 3CX desktop app. It found a common link between the backdoor and the malware victims.
“We found out that the threat actor specifically targeted cryptocurrency companies,” the company says, citing its own telemetry, which includes users of Kaspersky’s antivirus protection.
3CX provides VoIP services to thousands of businesses, including major brands like McDonald’s, Coca-Cola, and BMW. So the hack has sparked fears that a wide range of companies are affected, especially since antivirus companies detected a surge of malicious infections occuring through legitimate 3CX desktop apps last week.
Indeed, the tainted 3CX was found distributing an infostealer program capable of gathering data from a computer’s browser. However, Kaspersky’s report says the hacker also launched an additional payload for select machines in the form of a backdoor known as “Gopuram.”
But according to the company’s own data, Gopuram was deployed “to less than ten infected machines.” Once it installs, the backdoor lets a hacker secretly hijack a computer. Features include the ability to view file systems and create malicious processes on an infected machine.
Recommended by Our Editors
The presence of Gopuram also adds more evidence that the hack of 3CX is connected to a notorious North Korean state-sponsored hacking group, dubbed Lazarus, which has an appetite for stealing cryptocurrency. Back in 2020, Kaspersky also discovered a Gopuram backdoor on a machine at a cryptocurrency company that had been installed with another backdoor, dubbed AppleJeus(Opens in a new window), which the US has attributed to North Korea.
Separate cybersecurity firms Crowdstrike(Opens in a new window) and Sophos(Opens in a new window) have also found evidence linking the 3CX supply chain attack to Lazarus. However, it’s still unclear how the hackers managed to infiltrate the VoIP company to deliver the malware. In the meantime, 3CX has hired the cybersecurity team Mandiant to investigate the incident and is urging(Opens in a new window) clients to uninstall the company’s desktop app.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Hits: 0
