Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Supply Chain Security
Tech Solutions
Utilities: Energy & Power, Water, Waste
Vulnerabilities

Symantec detects X_Trader supply chain attack affecting critical infrastructure organizations in US, Europe

April 25, 2023
Symantec detects X_Trader supply chain attack affecting critical infrastructure organizations in US, Europe

Symantec researchers disclosed Friday that a North Korean-linked operation affected more organizations beyond 3CX, including two critical infrastructure organizations in the energy sector, one in the U.S. and the other in Europe. The X_Trader software supply chain attack affected more organizations than 3CX. In addition to this, two other organizations involved in financial trading were also breached.

As a result of the breach, 3CX’s software was compromised, with many customers inadvertently downloading malicious versions of the company’s voice and video calling software DesktopApp. 

“It appears likely that the X_Trader supply chain attack is financially motivated, since Trading Technologies, the developer of X_Trader, facilitates futures trading, including energy futures,” Symantec researchers identified in a Friday blog post. “Nevertheless, the compromise of critical infrastructure targets is a source of concern. North Korean-sponsored actors are known to engage in both espionage and financially motivated attacks and it cannot be ruled out that strategically important organizations breached during a financial campaign are targeted for further exploitation.”

“The discovery that 3CX was breached by another, earlier supply chain attack made it highly likely that further organizations would be impacted by this campaign, which now transpires to be far more wide-ranging than originally believed,” the researchers said. “The attackers behind these breaches clearly have a successful template for software supply chain attacks and further, similar attacks cannot be ruled out.”

The latest news comes in the midst of ongoing reports of attackers believed to be linked to North Korea have trojanized 3CX’s DesktopApp. In an attack reminiscent of SolarWinds, installers for several recent Windows and Mac versions of the software were compromised and modified by the attackers in order to deliver additional information stealing malware to the user’s computer. The information gathered by the malware presumably allowed the attackers to gauge if the victim was a candidate for further compromise.

The infection chain starts with the Trojanized installer named X_TRADER_r7.17.90p608[dot]exe, which is digitally signed by ‘Trading Technologies International, Inc.’ and contains a malicious executable named Setup[dot]exe. “Our analysis of one version of this executable found that when executed, it examined the file named X_TRADER-ja[dot]mst (also contained in the installer) for the marker bytes,” it added.

Once installed, Symantec disclosed that the legitimate X_Trader executable side-loads the two malicious DLLs dropped by the installer. The first, winscard[dot]dll, acts as a loader and contains code that will load and execute a payload from the second (msvcr100[dot]dll). The msvcr100[dot]dll file contains an encrypted blob appended to the file. The blob starts with the hex value FEEDFACE, which the loader uses to find the blob.

The process for payload installation is almost identical as that seen with the Trojanized 3CX app, where two side-loaded DLLs are used to extract a payload from an encrypted blob, the researchers revealed.

In this attack, the payload extracted is a modular backdoor called Veiledsignal that contains another DLL, which is a process-injection module. This can be injected into the Chrome, Firefox, or Edge web browsers. The module contains a second DLL, which is a command-and-control (C&C) module. It then connects to a C&C URL.

On Thursday, Mandiant Consulting’s investigation of the 3CX supply chain compromise detected the initial intrusion vector – a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X_TRADER, a software package provided by Trading Technologies. Mandiant determined that a complex loading process led to the deployment of VEILEDSIGNAL, a multi-stage modular backdoor, and its modules. 

Mandiant further pointed out that although the X_TRADER platform was reportedly discontinued in 2020, it was still available for download from the legitimate Trading Technologies website in 2022. “This file was signed with the subject ‘Trading Technologies International, Inc’ and contained the executable file Setup[dot]exe that was also signed with the same digital certificate. The code signing certificate used to digitally sign the malicious software was set to expire in October 2022,” the researchers wrote in the post.

Last week, Google’s Threat Analysis Group (TAG) identified in a report that it continues to disrupt campaigns from multiple Russian government-backed attackers who are focused on the war in Ukraine in the first quarter of this year. The Google report also threw light on the FROZENBARENTS aka Sandworm group, attributed to Russian Armed Forces’ Main Directorate of the General Staff (GRU) Unit 74455 which targets the energy sector and continues to hack and leak operations.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights