Veiledsignal

Threat Actor updated 4 months ago (2024-05-04T19:31:31.336Z)
Download STIX
Preview STIX
VeiledSignal is a threat actor known for its sophisticated cyberattacks, which typically involve the use of trojanized software to infiltrate systems and networks. In one significant incident, VeiledSignal compromised an employee's personal computer by embedding malware, detected as Win32/NukeSped.MO (aka VEILEDSIGNAL), into the 3CX app downloaded from the Trading Technologies website. The malware installation triggered a complex loading process that resulted in a multi-stage backdoor called "VEILEDSIGNAL" being installed on the individual's system. This breach allowed VeiledSignal to steal the employee's corporate credentials, leading to a further compromise of both the Windows and macOS build environments of the 3CX app. The attack chain employed by VeiledSignal involved the use of open-source tools such as SIGFLIP and DAVESHELL to extract and execute the VEILEDSIGNAL backdoor. This fully-featured malware provided the threat actor with administrator-level access and persistence to the compromised system. Once implanted, VEILEDSIGNAL downloaded an encrypted command and control (C2) module from GitHub, further enhancing its control over the infected system. VeiledSignal's malware contains three components: the main backdoor, an injector module, and a communications model. In addition to compromising the 3CX app, VeiledSignal also used its access to the Trading Technologies platform to infiltrate 3CX's network. Here, they modified desktop apps to compromise the networks of 3CX's customers, deploying the VeiledSignal multi-stage modular backdoor onto victims' systems. This specific version of the X_Trader software downloaded by the 3CX employee was loaded with the VeiledSignal backdoor, appearing legitimate due to the file and its installer being signed with a since-expired digital certificate.
Description last updated: 2024-05-04T17:28:35.659Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
3cx
Malware
Mandiant
Windows
Payload
Macos
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Veiledsignal Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago
N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX
CERT-EU
a year ago
Recovering from a supply-chain attack: What are the lessons to learn from the 3CX hack?
CERT-EU
a year ago
Obsolete financial trading software led to 3CX vulnerability
BankInfoSecurity
a year ago
North Korean Hackers Chained Supply Chain Hacks to Reach 3CX
CERT-EU
a year ago
3CX supply chain hack also impacted critical infrastructure orgs in the US and Europe
CERT-EU
a year ago
Infected app on employee’s PC led to 3CX compromise: Report | IT World Canada News
CERT-EU
a year ago
3CX hack highlights risk of cascading software supply-chain compromises
CERT-EU
a year ago
Cascading Supply Chain Attack: 3CX Hacked After Employee Downloaded Trojanized App
CERT-EU
a year ago
An earlier supply chain attack led to the 3CX supply chain attack, Mandiant says • The Register | #cybercrime | #infosec – National Cyber Security Consulting
CERT-EU
a year ago
Anomali Cyber Watch: Two Supply-Chain Attacks Chained Together, Decoy Dog Stealthy DNS Communication, EvilExtractor Exfiltrates to FTP Server
CERT-EU
a year ago
N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX
CERT-EU
a year ago
The 3CX attack gets wilder, marks first 'cascading software supply chain compromise'
CERT-EU
a year ago
Symantec: North Korean 3CX Hackers Also Hit Critical Infrastructure Orgs
DARKReading
a year ago
3CX Supply Chain Attack Tied to Financial Trading App Breach
InfoSecurity-magazine
a year ago
3CX Hackers Also Compromised Critical Infrastructure Firms