Comm100 Installer Abused in Supply Chain Attack to Distribute Malware
The Comm100 Live Chat application was subject to a supply chain attack in the very last days of September. A trojanized installer was used in the attack, which led to the distribution of a JavaScript backdoor.
The full extent of the attack is currently unknown. With more than 15,000 clients, the Comm100 company offers chat and customer engagement applications to businesses in 51 countries. The malicious file has reportedly been found in various fields in North American and European businesses, including technology and healthcare.
How Did the Attack Happen?
The malware was spread using a Comm100 installer that was downloadable from the company’s website. The installer was signed with a legitimate certificate on September 26.
“CrowdStrike Intelligence can confirm that the Microsoft Windows 7+ desktop agent hosted at hxxps[:]//dash11.comm100[.]io/livechat/electron/10000/Comm100LiveChat-Setup-win[.]exe that was available until the morning of September 29 was a trojanized installer.”, Crowdstrike said about the situation.
The main.js file of the embedded archive was used to insert a JavaScript backdoor into the Comm100 installer. The backdoor accesses an external resource(hxxp://api.amazonawsreplay[.]com/livehelp/collect) to retrieve and run a second-stage script. The script includes a backdoor to provide remote shell functionality and lets attackers gather system data.
A malicious loader DLL called MidlrtMd[.]dll is also used as part of the post-exploitation activity. It starts an in-memory shellcode to inject an embedded payload into a new Notepad process (notepad[.]exe).
Updated Comm100 Installer Available
So far, only one security provider has marked the installer as malicious. The problem has since been fixed with an updated installer (10.0.9).
Despite changes in the delivered payload, the target scope, and the supply chain attack mechanism, CrowdStrike thinks the attack is the work of a China nexus threat actor that has previously targeted several Asian online gambling organizations.
The payload delivered in this activity differs from other malware families previously identified as being controlled by the organization, indicating an increase in the group’s offensive capabilities.
IOCs
Executables:
- 6f0fae95f5637710d1464b42ba49f9533443181262f78805d3ff13bea3b8fd45
- Ac5c0823d623a7999f0db345611084e0a494770c3d6dd5feeba4199deee82b86
Payloads:
- mdmerge[.]exe: Ac9f2ae9de5126691b9391c990f9d4f1c25afa912fbfda2d4abfe9f9057bdd8c
- DLL (MidlrtMd[.]dll): 6194d57fc3bc35acf9365b764338adefacecfacf5955b87ad6a5b753fb6081f8
- C:ProgramDataCisco Corelicense: C930a28878a5dd49f7c8856473ff452ddbdab8099acd6900047d9b3c6e88edca
URLs:
- hxxp://api.amazonawsreplay[.]com/collect_log
- hxxp://api.amazonawsreplay[.]com
- hxxp://api.amazonawsreplay[.]com/livehelp/init
- hxxp://api.microsoftfileapis[.]com
- hxxps://selfhelp[.]windowstearns[.]com
- hxxp://api.amazonawsreplay[.]com/livehelp/collect
Command Activity:
- reg query ”hklmSOFTWAREMicrosoftWindows NTCurrentVersion” /v ProductId
For detailed descriptions, check here.