Supply Chain Attack Uses Hacked Comm100 Chat Provider to Distribute Malware

Supply Chain Attack Uses Hacked Comm100 Chat Provider to Distribute Malware

A novel supply chain attack involving the deployment of a trojanized installer for the Comm100 Live Chat program to disseminate a JavaScript backdoor has been linked to a threat actor with possible ties to China. The attack used a signed Comm100 desktop agent tool for Windows that was available for download from the company’s website, according to cybersecurity firm CrowdStrike.

Although the scope of the attack is presently unknown, it is reported that firms in the industrial, manufacturing, healthcare, insurance, technology, and telecom sectors in North America and Europe have found the trojanized file. A Canadian company called Comm100 offers live audio/video chat and customer interaction software for businesses. It asserts to have more than 15,000 clients in 51 nations.

“The installer was signed on September 26, 2022 at 14:54:00 UTC using a valid Comm100 Network Corporation certificate,” the company said, adding that it was still accessible till September 29.

A JavaScript-based implant that runs second-stage JavaScript code stored on a remote server and is intended to give the actor covert remote shell capabilities is included in the weaponized executable. A malicious loader DLL by the name of MidlrtMd.dll that starts an in-memory shellcode to inject an embedded payload into a new Notepad process is also used as part of the post-exploitation activity.

Threat actors are finding it increasingly profitable to attack a well-known software supplier to get access to the networks of downstream clients through supply chain breaches, such as those that occurred at SolarWinds and Kaseya. None of the security companies have yet to designate the installation as malicious as of this writing. The problem has subsequently been fixed with the release of an updated installer (10.0.9) following responsible disclosure.

Based on the inclusion of Chinese-language remarks in the malware and the targeting of online gambling companies in East and Southeast Asia—an area of interest for China-based intrusion actors—CrowdStrike has connected the attack to that actor with a moderate degree of confidence. Nevertheless, the payload delivered in this operation differs from other malware families previously identified as being controlled by the organization, indicating an increase in the group’s offensive capabilities.

Although CrowdStrike withheld the adversary’s identify, the TTPs hint in the direction of a threat actor known as Earth Berberoka (also called as GamblingPuppet), who was earlier this year discovered employing a phony chat app known as MiMi in its attacks against the gambling sector.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.