A New Supply Chain Attack Targeting Cryptocurrency Firms Linked to North Korea
A recent supply chain attack that has been linked to North Korea appears to have been specifically crafted to target cryptocurrency firms with backdoor malware, according to cybersecurity firm Kaspersky.
Discovery of Backdoor Malware
Initially thought to be a sophisticated multi-stage campaign aimed at dropping an infostealer on targeted organizations, Kaspersky has identified the presence of backdoor malware known as “Gopuram” in the attacks. This malware has been under surveillance by the Russian AV vendor since 2020.
By uncovering the use of Gopuram in the attacks, Kaspersky has concluded that the likely perpetrator behind the campaign is North Korea’s Lazarus group. Furthermore, the suspected goal of the attackers has shifted from cyber-espionage to the theft of digital currency.
Connection to Cryptocurrency Theft
During an investigation into an attack on a Southeast Asian cryptocurrency company in 2020, Kaspersky found Gopuram present alongside the AppleJeus backdoor, which has previously been attributed to Lazarus. The escalation in Gopuram infections in March 2023 was directly linked to the 3CX supply chain attack.
The modular backdoor, Gopuram, is introduced in the 3CX attack as a second-stage payload through DLL sideloading. It is capable of various actions on compromised machines, such as registry and services manipulation, file timestomping, and process payload injection.
Highly Targeted Campaign
Although Gopuram has only been deployed on a small number of machines so far, Kaspersky believes that the campaign is highly targeted, focusing specifically on cryptocurrency firms. This indicates a strategic effort to steal digital currency.
Continued Investigation
Kaspersky’s investigation into the 3CX campaign and the deployed implants is ongoing. The cybersecurity firm aims to uncover more details about the toolset used in the supply chain attack and the motives behind targeting cryptocurrency firms.
North Korea’s History of Targeting Crypto Firms
North Korean state hackers have a long-standing history of targeting cryptocurrency firms as part of their efforts to steal funds for the country’s nuclear weapons program. The recent supply chain attack further highlights the ongoing threat posed by North Korea in the realm of cybercrime.
Stay informed about cybersecurity threats and protect your digital assets from malicious actors.