Cryptocurrency Firms Hit by 3CX Attack Using Gopuram Malware - 1

Cryptocurrency Firms Hit by 3CX Attack Using Gopuram Malware

  • Written by Ari Denial Cybersecurity & Tech Writer

North Korean threat actors, known as Lazarus Group, conducted a supply chain attack on 3CX, a VoIP communications company. The attackers targeted the company’s customers by distributing trojanized versions of its desktop applications for Windows and macOS, resulting in a large-scale compromise.

Researchers have found that the attack is spread via trojanized MSI installers for 3CXDesktopApp and that the installation package contains an infected DII library. The payload connects to a command-and-control (C2) server and downloads an infostealer, which then collects system information and browser history and sends it back to the C2 server.

The Gopuram malware has been found to be responsible for a number of infections that increased in March 2023, and it was discovered that the cause was directly related to the 3CX supply chain attack. Cryptocurrency companies were specifically targeted, and the malware dropped two files on infected machines: a malicious library called wlbsctrl.dll and an encrypted shellcode payload located in C:\Windows\System32\config\TxR.TxR.0.regtrans-ms.

Kaspersky researchers revealed that the Gopuram malware was used by the attackers with surgical precision, targeting less than ten infected machines. This suggests that the attackers had a financial motive and were specifically interested in such companies.

The infected 3CX software installations were found worldwide, with the highest figures in Germany, France, Italy and Brazil. The researchers noted that the attackers had a particular interest in cryptocurrency companies.

After several customers reported that 3CXDesktopApp was being flagged as malicious by security software, 3CX confirmed that its Electron-based desktop client was compromised with malware.

Following the supply chain attack against 3CX, the company has advised its customers to uninstall the Electron desktop app from their Windows and macOS systems and switch to the progressive web application Web Client App.

High-profile companies and organizations such as Mercedes-Benz, Honda, Air France, UK’s National Health Service, Coca-Cola, American Express, McDonald’s, IKEA, BMW and Toyota, are among the customers of 3CX.

New Money Message Ransomware Demands Payment or Threatens Total Data Loss - 2

New Money Message Ransomware Demands Payment or Threatens Total Data Loss

  • Written by Ari Denial Cybersecurity & Tech Writer

Ransomware groups have been observed to be rapidly multiplying on the threat landscape, reminiscent of the sudden growth of mushrooms after rainfall. Among the recent additions to the already vast pool of ransomware groups is the Money Message group, which has been found to demand million-dollar ransoms from their victims in exchange for a decryptor.

An embedded JSON configuration file within the Money Message encryptor written in C++ dictates the encryption process for a device.

The JSON configuration file is an essential component of the C++-based Money Message encryptor, as it defines the encryption process. The file determines critical parameters such as the specific folders that should not be encrypted.

The extension to be appended, and the services and processes that need to be terminated. Moreover, the configuration file includes an option to enable or disable logging during the encryption process.

The Money Message ransomware’s configuration file containing domain login names and passwords is a significant concern, as the attackers could exploit the stolen credentials to access other systems and inflict more harm. This highlights the serious implications of ransomware attacks.

The encryption process employed by the Money Message ransomware does not append any extension while encrypting files, though this behavior may be subject to variation depending on the targeted victim. According to Rivitna, a security researcher, the encryption technique utilized by the ransomware is ChaCha20/ECDH.

Upon completion of the encryption process, the Money Message ransomware creates a ransom note in the form of a file named money_message.log. This file includes a hyperlink that leads the victim to a TOR negotiation site, which is utilized for conducting negotiations with the attackers.

In addition to the ransom demand, the ransomware operators issue a warning that they will publish any stolen data on their data leak site if the victim fails to pay the demanded ransom.

Despite the lack of sophistication in the encryptor employed by the group, their attacks have proven to be successful in stealing data and encrypting devices. As experts continue to analyze the ransomware, any potential weakness in the encryption will be identified.