A recently uncovered provide chain attack joined to North Korea was most very likely devised to concentrate on cryptocurrency firms with backdoor malware, according to Kaspersky.
It was imagined that the innovative multi-stage campaign was intended to drop an infostealer on qualified corporations. On the other hand, the Russian AV vendor has connected backdoor malware dubbed “Gopuram,” which it has been monitoring considering that 2020, to the assaults.
This the two confirms the likely attack team as North Korea’s Lazarus and adjustments the suspected conclusion goal of the attackers from cyber-espionage to theft of electronic forex.
“While investigating an attack on a Southeast Asian cryptocurrency organization in 2020, we identified Gopuram co-current on the identical equipment with the AppleJeus backdoor, which is attributed to Lazarus,” Kaspersky wrote in a blog post.
“Over the several years, we observed number of victims compromised with Gopuram, but the range of infections commenced to improve in March 2023. As it turned out, the boost was right similar to the 3CX supply chain attack.”
Go through a lot more on North Korean crypto assaults: UN Inbound links North Korea to $281m Crypto Exchange Heist.
The modular backdoor is introduced in the 3CX attack, as is the infostealer, as a 2nd-stage payload by way of DLL sideloading. It is utilized to execute a assortment of steps on afflicted machines, such as manipulating the Windows registry and services, undertaking timestomping on files and injecting payloads into processes.
In accordance to Kaspersky, the backdoor has been deployed to much less than 10 machines thus far, indicating a extremely focused campaign focused precisely on cryptocurrency firms.
“We consider that Gopuram is the most important implant and the closing payload in the attack chain. Our investigation of the 3CX marketing campaign is nonetheless much from complete,” Kaspersky concluded. “We will continue examining the deployed implants to uncover out more information about the toolset utilized in the supply chain attack.”
North Korean state hackers have been concentrating on crypto companies for a lot of years and are suspected of thieving billions of bucks to assistance fund the country’s nuclear weapons system.
Some parts of this article are sourced from:
www.infosecurity-magazine.com