Mandiant Security Update – Initial Intrusion Vector
Contents
Update from Mandiant’s Investigation
While Mandiant’s investigation is still ongoing, we now have a clear overall understanding of the attack. Following our previous update, we would like to share some additional technical details to support our customers and the community. We have also published additional indicators of compromise that organizations can leverage for their network defenses.
Initial Intrusion Vector
Mandiant identified the source of our internal network compromise began in 2022 when an employee installed the Trading Technologies X_TRADER software on the employee’s personal computer. Although the X_TRADER installation software was downloaded from the Trading Technologies website, it contained VEILEDSIGNAL malware, which enabled the threat actor (identified as UNC4736) to initially compromise and maintain persistence on the employee’s personal computer.
The X_TRADER installer (X_TRADER_r7.17.90p608.exe) was digitally signed by a valid code signing certificate with the subject of “Trading Technologies International, Inc”. It was hosted on hxxps://download.tradingtechnologies[.]com. While the X_TRADER software was reportedly retired in …
While Mandiant’s investigation is still ongoing, we now have a clear overall understanding of the attack. Following our previous update, we would like to share some additional technical details to support our customers and the community. We have also published additional indicators of compromise that organizations can leverage for their network defenses.
Initial Intrusion Vector
Mandiant identified the source of our internal network compromise began in 2022 when an employee installed the Trading Technologies X_TRADER software on the employee’s personal computer. Although the X_TRADER installation software was downloaded from the Trading Technologies website, it contained VEILEDSIGNAL malware, which enabled the threat actor (identified as UNC4736) to initially compromise and maintain persistence on the employee’s personal computer.
The X_TRADER installer (X_TRADER_r7.17.90p608.exe) was digitally signed by a valid code signing certificate with the subject of “Trading Technologies International, Inc”. It was hosted on hxxps://download.tradingtechnologies[.]com. While the X_TRADER software was reportedly retired in …
IoC
00a43d64f9b5187a1e1f922b99b09b77
19dbffec4e359a198daf4ffca1ab9165
24d5dd3006c63d0f46fb33cbc1f576325d4e7e03e3201ff4a3c1ffa604f1b74a
3bda9ca504146ad5558939de9fece0700f57c1c0
6e11c02485ddd5a3798bf0f77206f2be37487ba04d3119e2d5ce12501178b378
ced671856bbaef2f1878a2469fb44e9be8c20055
d7ba13662fbfb254acaad7ae10ad51e0bd631933
ef4ab22e565684424b4142b1294f1f4d
fbc50755913de619fb830fb95882e9703dbfda67dbd0f75bc17eadc9eda61370
http://www.tradingtechnologies.com/trading/order-management
https://download.tradingtechnologies.com
19dbffec4e359a198daf4ffca1ab9165
24d5dd3006c63d0f46fb33cbc1f576325d4e7e03e3201ff4a3c1ffa604f1b74a
3bda9ca504146ad5558939de9fece0700f57c1c0
6e11c02485ddd5a3798bf0f77206f2be37487ba04d3119e2d5ce12501178b378
ced671856bbaef2f1878a2469fb44e9be8c20055
d7ba13662fbfb254acaad7ae10ad51e0bd631933
ef4ab22e565684424b4142b1294f1f4d
fbc50755913de619fb830fb95882e9703dbfda67dbd0f75bc17eadc9eda61370
http://www.tradingtechnologies.com/trading/order-management
https://download.tradingtechnologies.com