Two critical infrastructure providers in the energy sector were breached via a software supply chain attack that also hit business communications provider 3CX and its downstream customers, as well as trading companies.
That’s according to cybersecurity firm Symantec this week, which said that its Threat Hunter Team had identified Critical National Infrastructure (CNI) victims in Europe and the US. It said that they had been victims of malware-laced X_Trader software; a customisable trading platform developed by Trading Technologies.
Symantec did not specify whether the energy infrastructure victims were in power generation or distribution.
X_Trader compromise used to hit 3CX
Symantec’s report comes after incident responders from Mandiant investigating the breach of VoIP services firm 3CX – which caused waves of alarm downstream after hackers poisoned legitimate and signed software from 3CX to attack its customers – found that it had been hit by another supply chain attack.
That was, said Mandiant, the first time “a software supply chain attack lead to another software supply chain attack” with the initial intrusion vector of 3CX attributed to “a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X_TRADER.”
On March 30, 3CX CEO Nick Galeo confirmed that the company’s Electron Windows app shipped in Update 7, version numbers 18.12.407 & 18.12.416, included a severe security issue and that Electron Mac App version numbers 18.11.1213 shipped with Update 6, and 18.12.402, 18.12.407 & 18.12.416 in Update 7 were affected.
SentinelOne telemetry set the earliest infection attempt as March 8, 2023. Based on data recovered from GitHub, infrastructure used by the Windows variant was activated on December 7, 2022 and domains and web infrastructure used in the attacks were registered as early as November 2022, according to Volexity.
The X_Trader software itself is used by traders to view real time and historical market data. While the software had been phased out by the parent company, Trading Technologies in 2020, it was available for download up until 2022 Mandiant said – with its team saying that “the compromised X_TRADER and 3CXDesktopApp applications both contain, extract, and run a payload in the same way, although the final payload is different.”
Symantec’s Threat Hunter Unit has termed this a ‘hydra style’ campaign, referencing the mythological snake-like monster that grows two heads for each one that is cut off. Mandiant has attributed the “cascading software supply chain compromises” campaign (albeit only with “moderate confidence”) to North Korea.
The supply chain breach has been analysed to start with with a Trojanized installer named X_TRADER_r7.17.90p608.exe (SHA256: 900b63ff9b06e0890bf642bdfcbfcc6ab7887c7a3c057c8e3fd6fba5ffc8e5d6), which is digitally signed by "Trading Technologies International, Inc." and contains a malicious executable named Setup.exe.
Once installed, the legitimate X_Trader executable side-loads the two malicious DLLs dropped by the installer. The first, winscard.dll, acts as a loader and contains code that will load and execute a payload from the second (msvcr100.dll). The msvcr100.dll file contains an encrypted blob appended to the file. The blob starts with the hex value FEEDFACE, which the loader uses to find the blob. The process for payload installation for the X_Trader breach was almost identical as that seen with the Trojanized 3CX app, where two side-loaded DLLs are used to extract a payload from an encrypted blob, according to Symantec. Mandiant has detection rules here.