Gopuram Malware through 3CX Attack: Crypto Companies Under Attack

According to Kaspersky, a Russian cybersecurity company that has been internally monitoring a versatile backdoor named Gopuram since 2020, there was an increase in the number of infections in March 2023, which corresponded with the 3CX breach.

“Gopuram ” and has been tracked internally since 2020. Three years ago, Kaspersky investigated an infection of a cryptocurrency company located in Southeast Asia. During the investigation, it was found that Gopuram coexisted on victim machines with AppleJeus, a backdoor attributed to the Korean-speaking threat actor Lazarus.”

We're sharing our YARA rules for
the Gopuram malware & related files with the community so that even users of free THOR Lite can detect that malware & traces of its activity
(e.g. the edb.chk.log in catroot2)

THOR Litehttps://t.co/EWr0Pw0HoS

Reporthttps://t.co/7SjKYpj8wS pic.twitter.com/HFCh0HP3Jh

— Nextron Systems (@nextronsystems) April 4, 2023

What’s happening behind the doors

Gopuram’s main purpose is to 

• establish a connection to a command-and-control (C2) server and 
• wait for further instructions, 
• allowing attackers to interact with the victim’s file system, create processes, and execute up to eight modules in memory.

The backdoor’s ties to North Korea arose from the fact that it co-existed on victim machines with AppleJeus, a backdoor attributed to the Korean-speaking threat actor Lazarus,“ detailing an attack on an unidentified Southeast Asian cryptocurrency firm in 2020.

Hey everyone, this is my first tweet! We identified a backdoor we dubbed #Gopuram, the final payload in the #3CX attack. The threat actor (likely to be Lazarus) has deployed it to cryptocurrency companies. More details in this thread and on Securelist (https://t.co/dyR4788HYm)

— Georgy Kucherin (@kucher1n) April 3, 2023

The targeting of cryptocurrency firms is another indication of the involvement of the Lazarus Group, given the threat actor’s repeated focus on the financial sector to generate unlawful profits for the nation facing sanctions.

Incitement techniques used in the past

Gopuram has been used with surgical precision, infecting less than ten machines with the highest infection rates detected in Brazil, Germany, Italy, and France. The campaign may have aimed to infect targets with a full-fledged modular backdoor, and ICONIC Stealer could have been used as a reconnaissance tool.

“The infostealer is not the only malicious payload deployed during the 3CX supply chain attack. The threat actor behind Gopuram additionally infects target machines with the fully-fledged modular Gopuram backdoor. We believe that Gopuram is the main implant and the final payload in the attack chain. Our investigation of the 3CX campaign is ongoing and we will continue analyzing the deployed implants to find out more details about the tools used in the supply chain attack,” – comments Georgy Kucherin, a security expert at GReAT, Kaspersky.

BlackBerry disclosed that the initial phase of the operation took place between the end of summer and the beginning of fall 2022, with healthcare, pharma, IT, and finance sectors as the top targets. The attackers poisoned 3CX’s development environment and delivered trojanized versions of the legitimate app to downstream customers in a supply chain attack.

A 10-year-old Windows flaw was weaponized by the attackers to incorporate encrypted shellcode, a technique previously used by a ZLoader malware campaign.

Multiple versions of the desktop app for Windows and macOS have been impacted, with the attack attributed to a “highly experienced and knowledgeable hacker” by 3CX.

Concluding thoughts

Malware prevalence in the crypto industry is very common. The reason behind this is the versatility of the market. Also, the decentralized laws make it difficult to detect the intrusion. The malicious content used to retrieve data is efficiently used when the actions are not encrypted properly. 

So, use encryption techniques, updated patches, softwares and most importantly vigilance to combat digital threats.