A novel supply chain attack involving the deployment of a trojanized installer for the Comm100 Live Chat program to disseminate a JavaScript backdoor has been linked to a threat actor with possible ties to China.
The attack used a signed Comm100 (Comm100 Live Chat) desktop agent tool for Windows that was available for download from the company’s website, according to cybersecurity firm CrowdStrike.
Although the scope of the attack is currently unknown, it is reported that firms in the industrial, healthcare, technology, manufacturing, insurance and telecom sectors in North America and Europe have found the trojanized file.
A Canadian company called Comm100 offers live audio/video chat and customer engagement software for businesses. It asserts to have more than 15,000 clients in 51 nations.
Comm100 live chat provider hijack date
According to the business, “The installer was signed on September 26, 2022, at 14:54:00 UTC using a genuine Comm100 Network Corporation certificate,” and it was accessible through September 29.
A JavaScript-based implant that runs second-stage JavaScript code stored on a remote server and is intended to give the actor covert remote shell functionality is integrated into the weaponized executable.
A malicious loader DLL by the name of MidlrtMd.dll that starts an in-memory shellcode to inject an embedded payload into a fresh Notepad process is also used as part of the post-exploitation activity.
Threat actors are finding it more and more profitable to target a well-known software supplier in order to get access to the networks of downstream clients through supply chain compromises, such as those that occurred at SolarWinds and Kaseya.
None of the security companies has yet to flag the installation as malicious as of this writing. The problem has since been fixed with the release of an updated installer following responsible disclosure (10.0.9).
Comm100 live chat and Chinese scripts
Based on the inclusion of Chinese-language remarks in the malware and the targeting of online gambling companies in East and Southeast Asia – an area of interest for China-based intrusion actors – CrowdStrike has connected the attack to that actor with a moderate degree of confidence.
Nevertheless, the payload delivered in this activity is different from other malware families previously identified as being controlled by the organization, indicating an increase in the group’s offensive capabilities.
Although CrowdStrike withheld the adversary’s identify, the TTPs hint in the direction of a threat actor known as Earth Berberoka (also known as GamblingPuppet), who was earlier this year discovered employing a phoney chat app known as MiMi in its attacks against the gambling sector.