Kaspersky, the leading cybersecurity company, has reported identifying a massive supply chain attack targeting a small number of cryptocurrency companies. The remote code execution (RCE) malware was found in the 3CX software that is used by over 600,000 firms, with highest infection rates in Brazil, Germany, Italy and France. Gopuram backdoor was likely installed by culprits from North Korea-linked threat actor ‘Labyrinth Chollima’, Kaspersky said.

In most of the infected computers, malicious activity included beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and presumably hands-on-keyboard activity. However, Gopuram was found to coexist with the AppleJeus backdoor attributed to the infamous Lazarus group of North Korea.

Upon further investigation, Kaspersky found out that the malicious activity was demonstrated in fewer than ten computers only, but deployed with surgical precision by focusing only on cryptocurrency companies. In the past, Kaspersky noted a Gopuram infection in a cryptocurrency company from South East Asia.

The epicenter of this supply chain attack was the 3CXDesktopApp.exe file, which was found containing an invalid dynamic link library (DLL). The DLL was mainly responsible for delivering the Gopuram backdoor.

Moreover, Crowdstrike reported on the same attack but was well aware that the 3CX app was DigiCert certified. However, the firm will be continuing its analysis of the source to ensure that the DigiCert-signed versions are not counterfeit or tampered.

Overall, this supply chain attack has highlighted the current need to focus on the security of any software used to conduct business. It is necessary to look into the legitimacy of the software and the integrity of the source from which it originates. No matter how big the companies are, safety and security come first as it helps to prevent any data losses and further threats posed by attackers.



Other News from Today