A threat actor with ties to China has been linked to a new supply chain assault that involves the distribution of a JavaScript backdoor via a trojanized installer for the Comm100 Live Chat application.
CrowdStrike, a cybersecurity firm,ย claimedย the assault used a signed Comm100 desktop agent programme for Windows that could be downloaded from the company’s website.
The scope of the assault is presently unknown, although the trojanized file has been found at firms in North America and Europe in the industrial, healthcare,ย technology, manufacturing, insurance, and telecommunications sectors.
Comm100 is a Canadian company that provides live audio/video chat and customer interaction software to businesses. It claims to have over 15,000 clients spread throughout 51 countries.
“The installer was signed on September 26, 2022 at 14:54:00 UTC using a genuine Comm100 Network Corporation certificate,” the business said, adding that it was still available on September 29.
Aย JavaScript-basedย implant included within the weaponized executable executes a second-stage JavaScript code located on a remote server, which is meant to give the actor with covert remote shell capabilities.
A malicious loader DLL named MidlrtMd.dll that runs an in-memory shellcode to inject an embedded payload into a newย Notepad process is also deployed as part of the post-exploitation activity.
Supply chain breaches, such as those employed by SolarWinds and Kaseya, are becoming an increasingly profitable technique for threat actors seeking to get a foothold in the networks of downstream clients.
As of this writing, noย securityย companies haveย flagged the installerย as malicious. Following appropriate disclosure, the problem was resolved with the release of an updated installer (10.0.9).
CrowdStrike believes the assault was carried out by an actor with a China connection, based on the existence of Chinese-language remarks in the malware and the targeting of online gambling businesses in East and Southeast Asia, which is a well-known target for China-based intrusion actors.
However, the payload transmitted in this action is distinct from other malware families previously recognised as being controlled by the organisation, implying an increase of its offensive arsenal.
CrowdStrike did not reveal the adversary’s name, but the TTPs link to a threat actor dubbedย Earth Berberokaย (aka GamblingPuppet), which was discovered earlier this year utilising a bogus messaging app calledย MiMiย in its assaults against the gambling sector.