A supply chain attack installed a backdoor in computers around the world but has only been deployed in fewer than ten computers, cybersecurity company Kaspersky has reported. The deployments showed a particular interest in cyptocurrency companies, it added.
Cybersecurity company Crowdstrike reported on March 29 that it has identified malicious activity on the 3CX softphone app 3CXDesktopApp. The app is marketed to corporate clients. The malicious activity detected included “beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity.”
Kaspersky said it suspected the involvement of the North Korea-linked threat actor Labyrinth Chollima. 3CX said of the infection:
Kaspersky was already investigating a dynamic link library (DLL) found in one of the infected 3CXDesktopApp .exe file, it said. The DLL in question had been used to deliver the Gopuram backdoor, although it was not the only malicious payload deployed in the attack. Gopuram has been found to coexist with the AppleJeus backdoor attributed to the North Korean Lazarus group, Kaspersky added.
Related: North Korean hackers are pretending to be crypto VCs in new phishing scheme — Kaspersky
Infected 3CX software has been detected around the world, with highest infection figures in Brazil, Germany, Italy and France. Gopuram has been deployed in fewer than ten computers, however, in a display of “surgical precision,” Kaspersky said. It had found a Gopuram infection in a Southeast Asian cryptocurrency company in the past.
If you are looking for a comprehensive overview of the current #3CX supply chain attack, I created a diagram that shows the attack flow!I'll update as soon as the analysis
Read more on cointelegraph.com