A recent supply chain attack linked to North Korea has been uncovered as a targeted effort to infiltrate cryptocurrency firms with backdoor malware, as reported by cybersecurity firm Kaspersky.
Initially believed to be a sophisticated campaign aimed at deploying an infostealer on specific organizations, Kaspersky has identified the presence of a backdoor malware known as “Gopuram” in the attacks. This discovery not only confirms the involvement of North Korea’s Lazarus group but also shifts the focus of the attackers from cyber-espionage to the theft of digital currency.
During an investigation into an attack on a Southeast Asian cryptocurrency company in 2020, Kaspersky found Gopuram alongside the AppleJeus backdoor, both attributed to Lazarus. The number of Gopuram infections began to rise in March 2023, directly linked to the 3CX supply chain attack.
Gopuram, a modular backdoor introduced in the 3CX attack, is deployed as a second-stage payload through DLL sideloading. It carries out various actions on compromised machines, such as manipulating the Windows registry and services, performing timestomping on files, and injecting payloads into processes.
Despite being deployed on less than 10 machines so far, Kaspersky believes that Gopuram serves as the primary implant and final payload in the attack chain, indicating a highly targeted campaign specifically aimed at cryptocurrency firms. The investigation into the 3CX campaign is ongoing, with Kaspersky continuing to analyze the deployed implants to uncover more details about the tools used in the supply chain attack.
North Korean state hackers have a history of targeting cryptocurrency firms, allegedly stealing billions of dollars to support the country’s nuclear weapons program. This latest attack underscores the ongoing threat posed by cybercriminals linked to North Korea and highlights the importance of robust cybersecurity measures within the cryptocurrency industry.
For further information on North Korean cyber attacks targeting cryptocurrency, you can read the United Nations’ report linking North Korea to a $281 million crypto exchange heist.