FortiGuard Labs is aware of reports that several organizations worldwide downloaded and installed trojanized versions of X_Trader software, which is believed to be the infection vector of the 3CX breach. Some of the reported victims are in critical infrastructure sectors in the United States and Europe. The malicious installers deployed the Veiledsignal backdoor to targeted machines.Why is this Significant?This is significant because several unnamed organizations worldwide, including those in critical infrastructure sector, downloaded and installed malicious versions of the X_Trader software believed to be the attack vector used in the recent 3CX incident. The infection allowed the alleged attacker Lazarus, the infamous North Korean threat actor, to have backdoor access to affected organizations through the deployed Veiledsignal malware.X_Trader software is a trading platform developed by Trading Technologies. How did the Attack Occur?Reports indicate that the trojanized versions of X_Trader software installers were hosted on the official Trading Technologies Web site, which appears to have been compromised in early 2022. CVE-2022-0609 (Use After Free Vulnerability in Google Chrome). was reportedly leveraged in the compromise. The malicious installers are digitally signed using a Trading Technologies’ signing certificate. There is no indication that the installers were actively distributed, rather they had to be manually downloaded and installed.Once the installers are executed, they copy the legitimate X_Trader executable and drop two malicious DLLs that are then sideloaded by the executable. One DLL acts as a loader of the other DLL containing Veiledsignal backdoor payload.Veiledsignal backdoor injects a module into the Chrome, Firefox, or Edge web browsers, which connects to the attacker’s C2 (Command-and-Control) server for commands.What is the Status of Protection?FortiGuard Labs has the following AV signatures in place for the known available trojanized X_Trader installers:Riskware/NukeSpedW32/Sphone_XC3.Q!trFortiGuard Labs has the following AV signatures in place for other known available files used in the attack:W64/NukeSped.PB!trRiskware/NukeSpedW64/BURNTCIGAR.84DB!trW64/ShellcodeRunner.KZ!trW32/Kryptik.F5ED!trW32/Shellcode.RDI!trW64/Agent.203F!trW32/PossibleThreatC2 of of the Veiledsignal backdoor is blocked by Webfiltering.FortiGuard Labs has the following IPS signature in place for CVE-2022-0609:Google.Chrome.UpdateAnimationTiming.Use.After.Free
Critical Infrastructure Organizations Compromised through Trojanized X_Trader Software
Read Time:1 Minute, 52 Second