Emerging evidence suggests the hackers who tampered with the 3CX app to deliver malware did so to infiltrate cryptocurrency companies, according to antivirus provider Kaspersky.
Kaspersky today published a report(Opens in a new window) examining a backdoor the hackers were selectively distributing to computers installed with the hijacked 3CX desktop app. It found a common link between the backdoor and the malware victims.
“We found out that the threat actor specifically targeted cryptocurrency companies,” the company says, citing its own telemetry, which includes users of Kaspersky’s antivirus protection.
3CX provides VoIP services to thousands of businesses, including major brands like McDonald's, Coca-Cola, and BMW. So the hack has sparked fears that a wide range of companies are affected, especially since antivirus companies detected a surge of malicious infections occuring through legitimate 3CX desktop apps last week.
Indeed, the tainted 3CX was found distributing an infostealer program capable of gathering data from a computer’s browser. However, Kaspersky’s report says the hacker also launched an additional payload for select machines in the form of a backdoor known as "Gopuram."
But according to the company’s own data, Gopuram was deployed “to less than ten infected machines.” Once it installs, the backdoor lets a hacker secretly hijack a computer. Features include the ability to view file systems and create malicious processes on an infected machine.
The presence of Gopuram also adds more evidence that the hack of 3CX is connected to a notorious North Korean state-sponsored hacking group, dubbed Lazarus, which has an appetite for stealing cryptocurrency. Back in 2020, Kaspersky also discovered a Gopuram
Read more on pcmag.com