Thursday, June 1, 2023
LetsAskBinu.com
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things
No Result
View All Result
LetsAskBinu.com
No Result
View All Result
Home Cybersecurity

Lazarus Group Gopuram Backdoor Found at Some 3CX Victims

Researcher by Researcher
April 4, 2023
in Cybersecurity
0
New ToddyCat APT Targets Exchange Servers
189
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


A small number of the organizations compromised in the supply chain attack against 3CX not only had the main infostealer malware installed in their environments, but also a fully featured backdoor that has been seen in known intrusions by the Lazarus Group in recent years.

The backdoor is known as Gopuram and researchers from Kaspersky discovered that a handful of companies that were hit as part of the 3CX compromise were infected by Gopuram. Many of those companies are in the cryptocurrency ecosystem, which is a prime target for the Lazarus Group. The researchers have been tracking Gopuram since 2020 and have seen it used in attacks on cryptocurrency companies in the past and were able to identify its presence on some of the machines compromised through the 3CX attack by finding a specific DLL on those computers.

“As we reviewed available reports on the 3CX attack, we began wondering if the compromise concluded with the infostealer or further implants followed. To answer that question, we decided to review the telemetry we had on the campaign. On one of the machines, we observed a DLL named guard64.dll, which was loaded into the infected 3CXDesktopApp.exe process,” the Kaspersky researchers wrote in an analysis of the Gopuram backdoor.

“Interestingly enough, we opened an investigation into a case linked to that DLL on March 21, about a week before the supply chain attack was discovered. A DLL with that name was used in recent deployments of a backdoor that we dubbed ‘Gopuram’ and had been tracking internally since 2020.”

The attack on 3CX became public last week when security companies began seeing indications that the company’s voice and video calling app for Windows had been compromised. 3CX eventually disclosed that two versions of the Windows app and four versions of the macOS app had been compromised and were being used to install malicious code on victims’ machines. The early analyses of the attack found that the main payload of the compromised app was an infostealer that was collecting specific data and exfiltrating it.

But some researchers thought that there could have been another payload involved in the intrusions.

“As it turns out, the infostealer is not the only malicious payload deployed during the 3CX supply chain attack. The threat actor behind Gopuram additionally infects target machines with the full-fledged modular Gopuram backdoor. We believe that Gopuram is the main implant and the final payload in the attack chain,” the Kaspersky researchers said.

“The job of the main module is to connect to a C2 server and request commands. The backdoor implements commands that allow the attackers to interact with the victim’s file system and create processes on the infected machine. Gopuram was additionally observed to launch in-memory modules.”

Several research groups have attributed the 3CX attack to North Korean actors, specifically a group that CrowdStrike calls Labyrinth Chollima and is related to the Lazarus Group. The Kaspersky researchers said that the presence of the Gopuram backdoor leaves little doubt as to the attackers’ identity.

“The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence,” the researchers said.

“As the Gopuram backdoor has been deployed to less than ten infected machines, it indicates that attackers used Gopuram with surgical precision. We additionally observed that the attackers have a specific interest in cryptocurrency companies.”



Source link

Related articles

Spring Framework Flaw Exploited in Mirai Malware Attacks

Threat Actors Exploit Critical Zyxel Flaw in Botnet Attacks

June 1, 2023
Cisco Acquiring Armorblox for Predictive and Generative AI Technology

Cisco Acquiring Armorblox for Predictive and Generative AI Technology

June 1, 2023
Tags: 3CXbackdoorGopuramGroupLazarusvictims
Share76Tweet47

Related Posts

Spring Framework Flaw Exploited in Mirai Malware Attacks

Threat Actors Exploit Critical Zyxel Flaw in Botnet Attacks

June 1, 2023
0

Threat actors are exploiting a critical-severity Zyxel flaw in order to add vulnerable devices to a Mirai botnet variant. While...

Cisco Acquiring Armorblox for Predictive and Generative AI Technology

Cisco Acquiring Armorblox for Predictive and Generative AI Technology

June 1, 2023
0

Cisco on Wednesday announced that it’s acquiring California-based cybersecurity firm Armorblox for its artificial intelligence (AI) technology. Armorblox specializes in...

8 best practices for securing your Mac from hackers in 2023

8 best practices for securing your Mac from hackers in 2023

June 1, 2023
0

Best practices for securing your Mac against potential hacks and security vulnerabilities include enabling the firewall, using strong passwords and...

ZuoRAT Malware Found Hitting Home Routers

New SeroXen RAT Emerges | Decipher

June 1, 2023
0

Security researchers are tracking a new fileless RAT named SeroXen that has the capability to evade many EDR systems and...

Sentra Raises $30 Million for DSPM Technology

Chrome 114 Released With 18 Security Fixes

May 31, 2023
0

Google this week announced the release of Chrome 114 to the stable channel with a total of 18 security fixes...

Load More
  • Trending
  • Comments
  • Latest
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 15/03

March 15, 2022
QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

March 15, 2022
Supply chain efficiency starts with securing port operations

Supply chain efficiency starts with securing port operations

March 15, 2022
A first look at threat intelligence and threat hunting tools

A first look at threat intelligence and threat hunting tools

March 15, 2022
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

0
Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

0
Remote work causing security issues for system and IT administrators

Remote work causing security issues for system and IT administrators

0
Elementor WordPress plugin has a gaping security hole – update now – Naked Security

Elementor WordPress plugin has a gaping security hole – update now – Naked Security

0
Spring Framework Flaw Exploited in Mirai Malware Attacks

Threat Actors Exploit Critical Zyxel Flaw in Botnet Attacks

June 1, 2023
All eyes on APIs: Top 3 API security risks and how to mitigate them

All eyes on APIs: Top 3 API security risks and how to mitigate them

June 1, 2023
Cisco Acquiring Armorblox for Predictive and Generative AI Technology

Cisco Acquiring Armorblox for Predictive and Generative AI Technology

June 1, 2023
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup /

June 1, 2023

Recent Posts

Spring Framework Flaw Exploited in Mirai Malware Attacks

Threat Actors Exploit Critical Zyxel Flaw in Botnet Attacks

June 1, 2023
All eyes on APIs: Top 3 API security risks and how to mitigate them

All eyes on APIs: Top 3 API security risks and how to mitigate them

June 1, 2023
Cisco Acquiring Armorblox for Predictive and Generative AI Technology

Cisco Acquiring Armorblox for Predictive and Generative AI Technology

June 1, 2023

Categories

  • Cyber Threats
  • Cybersecurity
  • Fintech
  • Hacking
  • Internet Of Things
  • LetsAskBinuBlogs
  • Malware
  • Networking
  • Protection

Tags

Access attack Attacks banking BiWeekly bug Cisco cloud code critical Cybersecurity Data Digital exploited financial Fintech Flaw flaws Google Group Hackers Krebs Latest launches malware Microsoft million Network News open patches Payments platform Ransomware RoundUp security Software Stories TFT Threat Top vulnerabilities vulnerability warns Week

© 2022 Lets Ask Binu All Rights Reserved

No Result
View All Result
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things

© 2022 Lets Ask Binu All Rights Reserved