X_TRADER software delivered VEILEDSIGNAL backdoor

X_TRADER was retired software that still sat on an official download path. In 2022, Trading Technologies' site served X_TRADER_r7.17.90p608.exe, signed by Trading Technologies International, Inc., even though the platform had reportedly been discontinued in 2020.

The installer executed Setup.exe. That program dropped two trojanized DLLs and a benign executable, then used DLL side-loading to run the malicious code. SIGFLIP located shellcode using the FEEDFACE marker and an RC4 configuration, DAVESHELL loaded the payload in memory, and the final implant was VEILEDSIGNAL.

VEILEDSIGNAL was a modular backdoor. It could send implant data, execute shellcode, and terminate itself. Its communication module used a named pipe and encrypted traffic with AES-256-GCM; its configured URL reused a Trading Technologies-looking path, www.tradingtechnologies.com/trading/order-management.

The impact was larger than the X_TRADER user base. Mandiant found that a 3CX employee installed the trojanized X_TRADER package on a personal machine, the actor stole corporate credentials, and the access later led to compromise of 3CX's build environments. This was a supply-chain attack that became another supply-chain attack.

Motive

Financial Gain

Attribution

State

Cause

Website Compromise

Transitive

No

Actor

Nation-state

User Impact

97

• Security Update Thursday 20 April 2023 - Initial Intrusion Vector Found3cx.com
• 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromisecloud.google.com
• Cascading Supply Chain Attack - 3CX Hacked After Employee Downloaded Trojanized Appsecurityweek.com
• 3CX attack traced to X_TRADER supply chain compromisecybersecuritydive.com
• Software maker 3CX was compromised by another supply-chain attackzetter-zeroday.com