Critical Infrastructure Organizations Compromised through Trojanized X_Trader Software

Description

FortiGuard Labs is aware of reports that several organizations worldwide downloaded and installed trojanized versions of X_Trader software, which is believed to be the infection vector of the 3CX breach. Some of the reported victims are in critical infrastructure sectors in the United States and Europe. The malicious installers deployed the Veiledsignal backdoor to targeted machines.

Why is this Significant?

This is significant because several unnamed organizations worldwide, including those in critical infrastructure sector, downloaded and installed malicious versions of the X_Trader software believed to be the attack vector used in the recent 3CX incident. The infection allowed the alleged attacker Lazarus, the infamous North Korean threat actor, to have backdoor access to affected organizations through the deployed Veiledsignal malware.

X_Trader software is a trading platform developed by Trading Technologies.

How did the Attack Occur?

Reports indicate that the trojanized versions of X_Trader software installers were hosted on the official Trading Technologies Web site, which appears to have been compromised in early 2022. CVE-2022-0609 (Use After Free Vulnerability in Google Chrome). was reportedly leveraged in the compromise. The malicious installers are digitally signed using a Trading Technologies' signing certificate. There is no indication that the installers were actively distributed, rather they had to be manually downloaded and installed.

Once the installers are executed, they copy the legitimate X_Trader executable and drop two malicious DLLs that are then sideloaded by the executable. One DLL acts as a loader of the other DLL containing Veiledsignal backdoor payload.

Veiledsignal backdoor injects a module into the Chrome, Firefox, or Edge web browsers, which connects to the attacker's C2 (Command-and-Control) server for commands.

What is the Status of Protection?

FortiGuard Labs has the following AV signatures in place for the known available trojanized X_Trader installers:

• Riskware/NukeSped
• W32/Sphone_XC3.Q!tr

FortiGuard Labs has the following AV signatures in place for other known available files used in the attack:

• W64/NukeSped.PB!tr
• Riskware/NukeSped
• W64/BURNTCIGAR.84DB!tr
• W64/ShellcodeRunner.KZ!tr
• W32/Kryptik.F5ED!tr
• W32/Shellcode.RDI!tr
• W64/Agent.203F!tr
• W32/PossibleThreat

C2 of of the Veiledsignal backdoor is blocked by Webfiltering.

FortiGuard Labs has the following IPS signature in place for CVE-2022-0609:

• Google.Chrome.UpdateAnimationTiming.Use.After.Free

Outbreak Alert

Security researchers observed that the threat actors abused a popular business communication software by 3CX. The reports mention that a version of the 3CX VoIP (Voice over Internet Protocol) desktop client was trojanized and is being used to attack multiple organizations.

View the full Outbreak Alert Report

Appendix

 (Symantec)

3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible (Mandiant)

Countering threats from North Korea (Google)