Cryptocurrency Companies Infected with BECDOR GOPURAM via 3CX Supply Chain Attack
Cryptocurrency companies that use 3CX as a VOIP-telephony service are now infected with the BECDOR GOPURAM, which delivers additional malware onto targeted devices. In March of this year, the Lazarus Group launched a large-scale cyber attack on 3CX, infecting the company’s clients with Trojan viruses of 3CX desktop applications for Windows and MacOS. During the campaign, attackers replaced two DLL-libraries used by the Windows desktop application with malicious versions that stole information from the infected devices.
Recently, Kaspersky Laboratory discovered that the BECDOR GOPURAM, previously used by the Lazarus hacker group against cryptocurrency companies since at least 2020, was also deployed as a payload of the second stage in attacks on 3CX customers. GOPURAM is a modular backdoor that manipulates Windows, changes the date of the Binary File to avoid detection, introduces useful loads in advanced processes, loads unsigned Windows drivers using Open Source utility Kernel Driver Utility, and partially controls the infected device through the Net command.
The new GOPURAM infections allowed researchers to attribute the attack on 3CX to the Lazarus group. Kaspersky Lab experts believe that GoPuram is the main implant and useful load in the last stage of the 3CX attack chain. In March 2023, the number of GOPURAM infections around the world increased, with attackers delivering a malicious library (WLBSCTRL.DLL) and an encrypted shell-code (.TXR.0.Rigtrans-Ms) into cryptocurrency companies affected by attacks on 3CX supplies.
Telemetry showed that the infection had spread to devices around the world, with the highest indicators of infection observed in Brazil, Germany, Italy, and France. Since Backdor Gopuram was deployed by fewer than 10 infected machines, this indicates the purposefulness of the attacks, as well as the fact that attackers show a special interest in cryptocurrency companies.