Home / malware
First posted on 01 May 2023.
There are no other names known for Trojanized X_Trader.
As reported by Mandiant, Trojanized X_Trader software was the cause of the 3CX breach, which was uncovered last month. As a result of this breach, 3CX's software was compromised, with many customers inadvertently downloading malicious versions of the company's voice and video calling software DesktopApp.
The infection chain starts with the Trojanized installer named X_TRADER_r7.17.90p608.exe (SHA256: 900b63ff9b06e0890bf642bdfcbfcc6ab7887c7a3c057c8e3fd6fba5ffc8e5d6), which is digitally signed by "Trading Technologies International, Inc." and contains a malicious executable named Setup.exe. Our analysis of one version of this executable (SHA256: aa318070ad1bf90ed459ac34dc5254acc178baff3202d2ea7f49aaf5a055dd43) found that when executed, it examined the file named X_TRADER-ja.mst (also contained in the installer) for the following marker bytes at hardcoded offset 0x167000:
5E DA F3 76
If the marker bytes are present, it creates a folder named:
It then copies the file C:WindowsSysnativeimmersivetpmvscmgrsvr.exe as C:ProgramdataTPMTpmVscMgrSvr.exe to the new folder.
Next, it will drop two malicious DLLs:
C:ProgramdataTPMwinscard.dll (SHA256: cc4eedb7b1f77f02b962f4b05278fa7f8082708b5a12cacf928118520762b5e2)
C:ProgramdataTPMmsvcr100.dll (SHA256: d937e19ccb3fd1dddeea3eaaf72645e8cd64083228a0df69c60820289b1aa3c0)
The content of the dropped files is generated by decrypting chunks of the file X_TRADER-ja.mst mentioned earlier using the XOR algorithm with the following key:
74 F2 39 DA E5 CF
To achieve persistence on the victim's system, the malware invokes a CLSID_TaskScheduler COM object, possibly to create a scheduled task to run periodically the following file:
Setup.exe then drops a file named X_TRADER.exe, also contained within the installer. The content of the dropped file is generated by decrypting chunks from one of its own portable executable resources starting at hardcoded offset 0x1CB40 using the XOR algorithm with the following key:
74 F2 39 DA E5 CF
Setup will then execute X_Trader.exe before deleting itself.
Once installed, the legitimate X_Trader executable side-loads the two malicious DLLs dropped by the installer. The first, winscard.dll, acts as a loader and contains code that will load and execute a payload from the second (msvcr100.dll). The msvcr100.dll file contains an encrypted blob appended to the file. The blob starts with the hex value FEEDFACE, which the loader uses to find the blob.
The process for payload installation is almost identical as that seen with the Trojanized 3CX app, where two side-loaded DLLs are used to extract a payload from an encrypted blob.
In this attack, the payload extracted is a modular backdoor called Veiledsignal (SHA256: e185c99b3d1085aed9fda65a9774abd73ecf1229f14591606c6c59e9660c4345). Veiledsignal contains another DLL (SHA256: 19442d9e476e3ef990ce57b683190301e946ccb28fc88b69ab53a93bf84464ae), which is a process-injection module. This can be injected into the Chrome, Firefox, or Edge web browsers. The module contains a second DLL (SHA256: f8c370c67ffb3a88107c9022b17382b5465c4af3dd453e50e4a0bd3ae9b012ce), which is a command-and-control (C&C) module. It connects to the following C&C URL:
Last update 01 May 2023