The offensive who launched the chain attack on 3CX used a second-stage implant to strike only several cryptocurrency businesses.
Seeing a rise in assaults in March 2023, which matched with the 3CX hack, according to Russian antivirus company Kaspersky that has been watching the flexible backdoor known as Gopuram privately since 2020.
What is Gopuram all about?
Gopuram’s main objective is to build a link with a command-and-control (C2) server in order to get ready for subsequent commands that will let attackers run processes, change the suspect’s file system, and turn on as many as eight in-memory modules. The backdoor, which was used in an attack on an unnamed crypto company in Southeast Asia in 2020, “co-existed on victim workstations with AppleJeus, a backdoor related to the Korean-speaking malicious actor Lazarus,” reveals Gopuram’s relations to North Korea. The Lazarus Group usually impacts the financial industry in order to generate ill-gotten wealth for a nation subject to sanctions, therefore the attack on crypto companies is yet another unmistakable sign of their involvement.
Moreover, Kaspersky reports that it had discovered a C2 overlap with a server (“wirexpro[.]com”) that had earlier been recognized as being used in an AppleJeus campaign that Malwarebytes found in December 2022.
Who had time to suffer?
A BlackBerry statement that “the early stage of this procedure actually occurred around the end of the summer and the start of the fall of 2022” coincides with the progress.
The healthcare, pharma, IT, and financial industries are the most frequently attacked, according to the Canadian firm, which reports that the majority of assault attempts have been documented in Australia, the US, and the UK.
A known or undiscovered vulnerability may have been used for the malicious actors to get original access to the 3CX network, although this is still unknown. CVE-2023-29059 is the identification number being used to trace the vulnerability.