CrowdStrike, a cybersecurity firm, claimed the assault used a signed Comm100 desktop agent programme for Windows that could be downloaded from the company’s website.
The scope of the assault is presently unknown, although the trojanized file has been found at firms in North America and Europe in the industrial, healthcare, technology, manufacturing, insurance, and telecommunications sectors.
Comm100 is a Canadian company that provides live audio/video chat and customer interaction software to businesses. It claims to have over 15,000 clients spread throughout 51 countries.
“The installer was signed on September 26, 2022 at 14:54:00 UTC using a genuine Comm100 Network Corporation certificate,” the business said, adding that it was still available on September 29.
A malicious loader DLL named MidlrtMd.dll that runs an in-memory shellcode to inject an embedded payload into a new Notepad process is also deployed as part of the post-exploitation activity.
Supply chain breaches, such as those employed by SolarWinds and Kaseya, are becoming an increasingly profitable technique for threat actors seeking to get a foothold in the networks of downstream clients.
CrowdStrike believes the assault was carried out by an actor with a China connection, based on the existence of Chinese-language remarks in the malware and the targeting of online gambling businesses in East and Southeast Asia, which is a well-known target for China-based intrusion actors.
However, the payload transmitted in this action is distinct from other malware families previously recognised as being controlled by the organisation, implying an increase of its offensive arsenal.
CrowdStrike did not reveal the adversary’s name, but the TTPs link to a threat actor dubbed Earth Berberoka (aka GamblingPuppet), which was discovered earlier this year utilising a bogus messaging app called MiMi in its assaults against the gambling sector.