HomeHacking NewsHijacked Comm100 Chat Provider to Spread Malware in Supply Chain Attack

Hijacked Comm100 Chat Provider to Spread Malware in Supply Chain Attack

A threat actor with ties to China has been linked to a new supply chain assault that involves the distribution of a JavaScript backdoor via a trojanized installer for the Comm100 Live Chat application.

CrowdStrike, a cybersecurity firm, claimed the assault used a signed Comm100 desktop agent programme for Windows that could be downloaded from the company’s website.

The scope of the assault is presently unknown, although the trojanized file has been found at firms in North America and Europe in the industrial, healthcare, technology, manufacturing, insurance, and telecommunications sectors.

Comm100 is a Canadian company that provides live audio/video chat and customer interaction software to businesses. It claims to have over 15,000 clients spread throughout 51 countries.

“The installer was signed on September 26, 2022 at 14:54:00 UTC using a genuine Comm100 Network Corporation certificate,” the business said, adding that it was still available on September 29.

JavaScript-based implant included within the weaponized executable executes a second-stage JavaScript code located on a remote server, which is meant to give the actor with covert remote shell capabilities.

A malicious loader DLL named MidlrtMd.dll that runs an in-memory shellcode to inject an embedded payload into a new Notepad process is also deployed as part of the post-exploitation activity.

Hijacked Comm100 Chat

Supply chain breaches, such as those employed by SolarWinds and Kaseya, are becoming an increasingly profitable technique for threat actors seeking to get a foothold in the networks of downstream clients.

As of this writing, no security companies have flagged the installer as malicious. Following appropriate disclosure, the problem was resolved with the release of an updated installer (10.0.9).

CrowdStrike believes the assault was carried out by an actor with a China connection, based on the existence of Chinese-language remarks in the malware and the targeting of online gambling businesses in East and Southeast Asia, which is a well-known target for China-based intrusion actors.

However, the payload transmitted in this action is distinct from other malware families previously recognised as being controlled by the organisation, implying an increase of its offensive arsenal.

CrowdStrike did not reveal the adversary’s name, but the TTPs link to a threat actor dubbed Earth Berberoka (aka GamblingPuppet), which was discovered earlier this year utilising a bogus messaging app called MiMi in its assaults against the gambling sector.


Leave A Reply

Please enter your comment!
Please enter your name here

Most Popular