Skip to main content

Cryptocurrency companies targeted via Gopuram malware through the 3CX attack

April 3, 2023

Kaspersky investigated a supply chain attack conducted via 3CXDesktopApp, a popular VoIP program. The malware behind this attack dubbed Gopuram has been tracked internally since 2020, but the number of infections began to increase in March 2023. The recent report by Kaspersky provides an overview of the Gopuram backdoor with an observation of the latest campaign that has affected enterprises, and, particularly cryptocurrency companies around the world.

On March 29, a 3CX supply chain attack was reported. Kaspersky researchers analyzed available reports on this campaign and reviewed their own telemetry. On one machine, researchers observed a suspicious Dynamic Link Library (DLL) that was loaded into the infected 3CXDesktopApp.exe process.

Kaspersky experts opened an investigation into a case linked to that DLL on March 21, about a week before the supply chain attack was discovered. That DLL was used in deployments of a backdoor that was dubbed “Gopuram” and had been tracked internally since 2020. Three years ago, Kaspersky investigated an infection of a cryptocurrency company located in Southeast Asia. During the investigation, it was found that Gopuram coexisted on victim machines with AppleJeus, a backdoor attributed to the Korean-speaking threat actor Lazarus

As for the victims in Kaspersky’s telemetry, installations of the infected 3CX software are located all over the world, with the highest infection figures observed in Brazil, Germany, Italy and France. Despite that, Gopuram has been deployed to less than ten machines, which indicates that attackers used this backdoor with surgical precision. Kaspersky additionally observed that the attackers have a specific interest in cryptocurrency companies.

“The infostealer is not the only malicious payload deployed during the 3CX supply chain attack. The threat actor behind Gopuram additionally infects target machines with the fully-fledged modular Gopuram backdoor. We believe that Gopuram is the main implant and the final payload in the attack chain. Our investigation of the 3CX campaign is ongoing and we will continue analyzing the deployed implants to find out more details about the toolset used in the supply chain attack,” comments Georgy Kucherin, a security expert at GReAT, Kaspersky.

 

Learn more about Gopuram backdoor and the supply chain attack on Securelist.

To protect against Gopuram-like threats, follow these recommendations:

o   Provide your staff with basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques;

o   Carry out a cybersecurity audit of your networks and remediate any weaknesses discovered in the perimeter or inside the network.

o   Install anti-APT and EDR solutions, enabling threat discovery and detection, investigation and timely remediation of incidents capabilities. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within Kaspersky Expert Security framework.

o   Along with proper endpoint protection, dedicated services can help against high-profile attacks. The Kaspersky Managed Detection and Response service can help identify and stop attacks in their early stages, before the attackers achieve their goals.

 

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

 

 



Cryptocurrency companies targeted via Gopuram malware through the 3CX attack

Kaspersky investigated a supply chain attack conducted via 3CXDesktopApp, a popular VoIP program. The malware behind this attack dubbed Gopuram has been tracked internally since 2020, but the number of infections began to increase in March 2023. The recent report by Kaspersky provides an overview of the Gopuram backdoor with an observation of the latest campaign that has affected enterprises, and, particularly cryptocurrency companies around the world.
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Related Articles Press Releases