Kaspersky researchers reported that among the victims of the recent 3CX supply chain attack were cryptocurrency companies that appeared to have been specifically targeted with an additional payload of Gopuram malware, according to BleepingComputer.
The attack attributed to the North Korean Lazarus Group included precise deployments of the Gopuram backdoor, accounting for less than ten infected machines, suggesting that the threat actors specifically targeted cryptocurrency firms and were financially motivated.
"The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence. We believe that Gopuram is the main implant and the final payload in the attack chain," according to the researchers.
Meanwhile, 3CX has acknowledged the supply-chain attack and advised customers to uninstall the 3CXDesktopApp Electron-based desktop client from their Windows or macOS systems and replace it with the progressive web application Web Client App.