BTC $56772.0455
ETH $3229.2692
BNB $393.0365
SOL $106.6536
stETH $3224.6597
XRP $0.5621
ADA $0.6137
AVAX $38.6261
DOGE $0.0960
TRX $0.1415
wstETH $3753.2551
DOT $8.0619
LINK $18.8685
WETH $3222.5827
MATIC $1.0217
UNI $10.5943
WBTC $56672.8182
IMX $3.2827
ICP $12.8638
BCH $296.0952
LTC $73.4211
CAKE $3.1049
LEO $4.3751
ETC $27.6986
FIL $7.7121
KAS $0.1681
RNDR $7.1714
DAI $0.9992
HBAR $0.1085
ATOM $10.9103
INJ $37.3719
VET $0.0480
TON $2.1032
OKB $51.5043
FDUSD $1.0007
LDO $3.4620
STX $3.0518
XMR $133.5710
ARB $1.8885
XLM $0.1189
GRT $0.2844
TIA $16.9400
NEAR $3.9210
ENS $21.6903
MKR $2126.5962
WEMIX $2.0704
APEX $2.3723
BTC $56772.0455
ETH $3229.2692
BNB $393.0365
SOL $106.6536
stETH $3224.6597
XRP $0.5621
ADA $0.6137
AVAX $38.6261
DOGE $0.0960
TRX $0.1415
wstETH $3753.2551
DOT $8.0619
LINK $18.8685
WETH $3222.5827
MATIC $1.0217
UNI $10.5943
WBTC $56672.8182
IMX $3.2827
ICP $12.8638
BCH $296.0952
LTC $73.4211
CAKE $3.1049
LEO $4.3751
ETC $27.6986
FIL $7.7121
KAS $0.1681
RNDR $7.1714
DAI $0.9992
HBAR $0.1085
ATOM $10.9103
INJ $37.3719
VET $0.0480
TON $2.1032
OKB $51.5043
FDUSD $1.0007
LDO $3.4620
STX $3.0518
XMR $133.5710
ARB $1.8885
XLM $0.1189
GRT $0.2844
TIA $16.9400
NEAR $3.9210
ENS $21.6903
MKR $2126.5962
WEMIX $2.0704
APEX $2.3723
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Gopuram becomes the main weapon in the attack on cryptocurrency companies

    Cryptocurrency companies affected by the 3CX supply chain attack are infected with the Gopuram backdoor, which delivers additional malware to targeted devices.

    In March, the Lazarus Group carried out a cyberattack on 3CX, a company providing VoIP telephony services. During the campaign, the firm's clients were infected with Trojan versions of 3CX desktop applications for Windows and macOS in a large-scale attack on the supply chain.

    In this attack, the attackers replaced two DLLs used by a Windows desktop application with malicious versions that downloaded trojans to steal information.

    Recently, Kaspersky Lab discovered that the Gopuram backdoor, previously used by the Lazarus hacker group against crypto companies since at least 2020, has also been deployed as a stage 2 payload in attacks against 3CX clients.

    Gopuram is a modular backdoor that performs the following functions:

    • Manipulating the registry and Windows services;
    • Changing the date of a binary file (timestomping) to avoid detection;
    • Payload injection into running processes;
    • Loading unsigned Windows drivers using the open source Kernel Driver Utility;
    • Partial control of the infected device via the “net” command.

    New Gopuram infections made it possible to attribute the attack on 3CX to the Lazarus group. Kaspersky Lab researchers believe that Gopuram is the main implant and payload of the last stage in the chain of attacks on 3CX. In March 2023, the number of Gopuram infections increased around the world: attackers delivered a malicious library (wlbsctrl.dll) and encrypted shellcode (.TxR.0.regtrans-ms) to the systems of cryptocurrency companies affected by the attack on the 3CX supply chain.

    Telemetry showed that devices worldwide were infected, with the highest rates of infection observed in Brazil, Germany, Italy and France. Since the Gopuram backdoor was deployed on less than 10 infected machines, this indicates that the attacks are targeted, as well as that the attackers have a particular interest in cryptocurrency companies.

    Author DeepWeb
    AlienFox massively steals data from cloud services
    BlackCat brought New York court into the 20th century

    Comments 0

    Add comment