Skip to content
Active Currencies: 17,437
Market Cap: $2.351T
Bitcoin Dominance: 56.50%
24h Market Cap Change: $3.32

Did North Korea’s Lazarus Group launch supply chain attack on crypto firms?
Written by Written by Saman Waris
Reviewed by Reviewed by Saman Waris
Updated April 5, 2023
Did North Korea’s Lazarus Group launch supply chain attack on crypto firms?
  • Cybersecurity firm Kaspersky recently investigated a 3CX supply chain attack that targeted crypto firms.
  • The investigation revealed that North Korea’s Lazarus Group may have been behind the attack.

Popular cybersecurity firm Kaspersky recently concluded an investigation into a supply chain attack on 3CX, a popular VoIP (Voice over Internet Protocol) software provider. The attack came to light on 29 March and reportedly affected cryptocurrency firms.

Kaspersky published its report on 3 April on the matter after analyzing available data and reviewing its own telemetry. 

Hackers target crypto firms with surgical precision

According to the report, Kaspersky experts found a suspicious Dynamic Link Library (DLL) that was loaded into the infected 3CXDesktopApp.exe process on one of the machines they were monitoring. This DLL was linked to a backdoor known as “Gopuram,” which Kaspersky had been tracking since 2020.

Kaspersky also opened a case linked to the Gopuram backdoor on 21 March. Interestingly, this was roughly a week before the 3CX supply chain attack was discovered. Kaspersky’s previous investigations shed further light on the origins of the Gopuram backdoor.

Three years ago, the cybersecurity firm investigated an infection of a cryptocurrency company located in Southeast Asia. During this investigation, they discovered that Gopuram coexisted on victim machines with AppleJeus, another backdoor that has been associated with the Lazarus Group, the notorious hacker group based in North Korea. 

Kaspersky’s telemetry revealed that installations of the infected 3CX software were located all over the world. Brazil, Germany, Italy, and France recorded the highest number of infestations.

However, the Gopuram backdoor was deployed to less than ten machines. This indicated that the attackers behind this campaign were very precise in their targeting.

Georgy Kucherin, a security expert at GReAT, Kaspersky, said:

“We believe that Gopuram is the main implant and the final payload in the attack chain. Our investigation of the 3CX campaign is ongoing and we will continue analyzing the deployed implants to find out more details about the toolset used in the supply chain attack.”

The specific interest in cryptocurrency companies suggests that the hackers may have been looking to steal valuable assets such as digital currencies or sensitive financial information.

Disclaimer: AMBCrypto's content is meant to be informational in nature and should not be interpreted as investment advice. Trading, buying or selling cryptocurrencies should be considered a high-risk investment and every reader is advised to do their own research before making any decisions.

Saman Waris

Editor

Saman Waris works as a Senior News Editor at AMBCrypto. She has always been fascinated by how the tides of finance and technology shape communities across demographics. Cryptocurrencies are of particular interest to Saman, with much of her writing centered around understanding how ideas like Momentum and Greater Fool theories apply to altcoins, specifically, memecoins.

Related Articles

AMBCrypto
Facebook X Instagram Youtube Linkedin

AMBCrypto was founded in 2018 with a mission to simplify and bring the latest blockchain and cryptocurrency news to our readers. We have quickly grown into the digital news source for an emerging generation of cryptocurrency enthusiasts, reaching more than a million readers on a monthly basis, across the globe.