VeiledSignal is a threat actor known for its sophisticated cyberattacks, which typically involve the use of trojanized software to infiltrate systems and networks. In one significant incident, VeiledSignal compromised an employee's personal computer by embedding malware, detected as Win32/NukeSped.MO (aka VEILEDSIGNAL), into the 3CX app downloaded from the Trading Technologies website. The malware installation triggered a complex loading process that resulted in a multi-stage backdoor called "VEILEDSIGNAL" being installed on the individual's system. This breach allowed VeiledSignal to steal the employee's corporate credentials, leading to a further compromise of both the Windows and macOS build environments of the 3CX app.
The attack chain employed by VeiledSignal involved the use of open-source tools such as SIGFLIP and DAVESHELL to extract and execute the VEILEDSIGNAL backdoor. This fully-featured malware provided the threat actor with administrator-level access and persistence to the compromised system. Once implanted, VEILEDSIGNAL downloaded an encrypted command and control (C2) module from GitHub, further enhancing its control over the infected system. VeiledSignal's malware contains three components: the main backdoor, an injector module, and a communications model.
In addition to compromising the 3CX app, VeiledSignal also used its access to the Trading Technologies platform to infiltrate 3CX's network. Here, they modified desktop apps to compromise the networks of 3CX's customers, deploying the VeiledSignal multi-stage modular backdoor onto victims' systems. This specific version of the X_Trader software downloaded by the 3CX employee was loaded with the VeiledSignal backdoor, appearing legitimate due to the file and its installer being signed with a since-expired digital certificate.
Description last updated: 2024-05-04T17:28:35.659Z