Although the scope of the attack is presently unknown, it is reported that firms in the industrial, manufacturing, healthcare, insurance, technology, and telecom sectors in North America and Europe have found the trojanized file. A Canadian company called Comm100 offers live audio/video chat and customer interaction software for businesses. It asserts to have more than 15,000 clients in 51 nations.
“The installer was signed on September 26, 2022 at 14:54:00 UTC using a valid Comm100 Network Corporation certificate,” the company said, adding that it was still accessible till September 29.
Threat actors are finding it increasingly profitable to attack a well-known software supplier to get access to the networks of downstream clients through supply chain breaches, such as those that occurred at SolarWinds and Kaseya. None of the security companies have yet to designate the installation as malicious as of this writing. The problem has subsequently been fixed with the release of an updated installer (10.0.9) following responsible disclosure.
Based on the inclusion of Chinese-language remarks in the malware and the targeting of online gambling companies in East and Southeast Asia—an area of interest for China-based intrusion actors—CrowdStrike has connected the attack to that actor with a moderate degree of confidence. Nevertheless, the payload delivered in this operation differs from other malware families previously identified as being controlled by the organization, indicating an increase in the group’s offensive capabilities.
Although CrowdStrike withheld the adversary’s identify, the TTPs hint in the direction of a threat actor known as Earth Berberoka (also called as GamblingPuppet), who was earlier this year discovered employing a phony chat app known as MiMi in its attacks against the gambling sector.