Threat Research

X_Trader Supply Chain Attack Affects Critical Infrastructure Organizations in U.S. and Europe

Securonix

Symantec’s Threat Hunter Team links a broader X_Trader software supply chain attack to multiple victims, including two critical infrastructure organizations in the energy sector in the U.S. and Europe, plus two other financial trading firms. The operation uses a trojanized X_Trader installer, DLL side-loading with Veiledsignal backdoor, and C2 communications to a Trading Technologies endpoint.

#X_TRADER #3CX #TradingTechnologies #Veiledsignal #NorthKoreanSponsoredActors

Keypoints

  • Expanded impact beyond the 3CX breach: victims include two energy sector organizations (one in the U.S. and one in Europe) and two other financial trading firms.
  • The attack starts with a Trojanized installer for X_TRADER (X_TRADER_r7.17.90p608.exe) signed by Trading Technologies International, Inc., containing a malicious Setup.exe.
  • Two malicious DLLs are dropped and later used for loading the payload (DLL side-loading): winscard.dll and msvcr100.dll.
  • Persistence is achieved via a scheduled task created through a CLSID_TaskScheduler object to run TPMTpmVscMgrSvr.exe.
  • The backdoor Veiledsignal is deployed, including a process-injection module that can target browsers and a C2 module that communicates with a Trading Technologies URL.
  • Payloads involve XOR-based decryption and an encrypted blob, with deobfuscation/decoding steps to construct the final binaries.
  • Indicators of Compromise (hashes, file names, URLs, and artifacts) are provided by Symantec, signaling a broad and reusable attack template for software supply chain intrusions.

MITRE Techniques

  • [T1195] Supply Chain Compromise – The infection chain starts with the Trojanized installer named X_TRADER_r7.17.90p608.exe. “The infection chain starts with the Trojanized installer named X_TRADER_r7.17.90p608.exe (SHA256: 900b63ff9b06e0890bf642bdfcbfcc6ab7887c7a3c057c8e3fd6fba5ffc8e5d6), which is digitally signed by ‘Trading Technologies International, Inc.’ and contains a malicious executable named Setup.exe.’
  • [T1116] Code Signing – The Trojanized installer is digitally signed, enabling trust by the target system. “digitally signed by ‘Trading Technologies International, Inc.’”
  • [T1053.005] Scheduled Task – Persistence via CLSID_TaskScheduler to create a scheduled task that runs TPMTpmVscMgrSvr.exe. “to create a scheduled task to run periodically the following file: C:ProgramdataTPMTpmVscMgrSvr.exe.”
  • [T1574.002] DLL Side-Loading – The legitimate X_Trader executable side-loads the two malicious DLLs dropped by the installer to load the payload. “the legitimate X_Trader executable side-loads the two malicious DLLs dropped by the installer.”
  • [T1055] Process Injection – Veiledsignal contains a process-injection module that can inject into browsers. “Veiledsignal contains another DLL (SHA256: 19442d9e476e3ef990ce57b683190301e946ccb28fc88b69ab53a93bf84464ae), which is a process-injection module.”
  • [T1071.001] Web Protocols – The payload’s C2 module connects to a Web URL for command and control. “It connects to the following C&C URL: https://www.tradingtechnologies.com/trading/order-management.”
  • [T1027] Obfuscated/Compressed Files and Information – The payload includes an encrypted blob and decryption steps to reveal components. “The blob starts with the hex value FEEDFACE, which the loader uses to find the blob.”
  • [T1140] Deobfuscate/Decode Files or Information – Decryption of dropped files using XOR with a specific key. “The content of the dropped files is generated by decrypting chunks of the file X_TRADER-ja.mst … using the XOR algorithm with the following key: 74 F2 39 DA E5 CF.”

Indicators of Compromise

  • [Hash] Trojanized installer – 900b63ff9b06e0890bf642bdfcbfcc6ab7887c7a3c057c8e3fd6fba5ffc8e5d6, aa318070ad1bf90ed459ac34dc5254acc178baff3202d2ea7f49aaf5a055dd43, and other hashes
  • [Hash] Malicious component of Trojanized installer (setup.exe) – 6e11c02485ddd5a3798bf0f77206f2be37487ba04d3119e2d5ce12501178b378, cb374af8990c5f47b627596c74e2308fbf39ba33d08d862a2bea46631409539f
  • [Hash] Veiledsignal loader – cc4eedb7b1f77f02b962f4b05278fa7f8082708b5a12cacf928118520762b5e2, 277119738f4bdafa1cde9790ec82ce1e46e04cebf6c43c0e100246f681ba184e
  • [Hash] Malicious DLL (msvcr100.dll) – cb374af8990c5f47b… (and d937e19ccb3fd1dddeea3eaaf72645e8cd64083228a0df69c60820289b1aa3c0)
  • [Hash] Veiledsignal main component – e185c99b3d1085aed9fda65a9774abd73ecf1229f14591606c6c59e9660c4345
  • [Hash] Veiledsignal process-injection module – 19442d9e476e3ef990ce57b683190301e946ccb28fc88b69ab53a93bf84464ae
  • [Hash] Veiledsignal communications module – f8c370c67ffb3a88107c9022b17382b5465c4af3dd453e50e4a0bd3ae9b012ce
  • [URL] C2 server – https://www.tradingtechnologies[.]com/trading/order-management
  • [Named Pipe] Veiledsignal named pipe – .pipegecko.nativeMessaging.in.foo8bc16e6288f2a
  • [User-Agent] Veiledsignal user agent – Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40

Read more: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain