Comm100 Installer Abused in Supply Chain Attack to Distribute Malware

The Comm100 Live Chat application was subject to a supply chain attack in the very last days of September. A trojanized installer was used in the attack, which led to the distribution of a JavaScript backdoor.

The full extent of the attack is currently unknown. With more than 15,000 clients, the Comm100 company offers chat and customer engagement applications to businesses in 51 countries. The malicious file has reportedly been found in various fields in North American and European businesses, including technology and healthcare.

How Did the Attack Happen?

The malware was spread using a Comm100 installer that was downloadable from the company’s website. The installer was signed with a legitimate certificate on September 26.

“CrowdStrike Intelligence can confirm that the Microsoft Windows 7+ desktop agent hosted at hxxps[:]//dash11.comm100[.]io/livechat/electron/10000/Comm100LiveChat-Setup-win[.]exe that was available until the morning of September 29 was a trojanized installer.”, Crowdstrike said about the situation.

The main.js file of the embedded archive was used to insert a JavaScript backdoor into the Comm100 installer. The backdoor accesses an external resource(hxxp://api.amazonawsreplay[.]com/livehelp/collect) to retrieve and run a second-stage script. The script includes a backdoor to provide remote shell functionality and lets attackers gather system data.

A malicious loader DLL called MidlrtMd[.]dll is also used as part of the post-exploitation activity. It starts an in-memory shellcode to inject an embedded payload into a new Notepad process (notepad[.]exe).

Updated Comm100 Installer Available

So far, only one security provider has marked the installer as malicious. The problem has since been fixed with an updated installer (10.0.9).

Despite changes in the delivered payload, the target scope, and the supply chain attack mechanism, CrowdStrike thinks the attack is the work of a China nexus threat actor that has previously targeted several Asian online gambling organizations.

The payload delivered in this activity differs from other malware families previously identified as being controlled by the organization, indicating an increase in the group’s offensive capabilities.

IOCs

Executables:

6f0fae95f5637710d1464b42ba49f9533443181262f78805d3ff13bea3b8fd45
Ac5c0823d623a7999f0db345611084e0a494770c3d6dd5feeba4199deee82b86

Payloads:

mdmerge[.]exe: Ac9f2ae9de5126691b9391c990f9d4f1c25afa912fbfda2d4abfe9f9057bdd8c
DLL (MidlrtMd[.]dll): 6194d57fc3bc35acf9365b764338adefacecfacf5955b87ad6a5b753fb6081f8
C:ProgramDataCisco Corelicense: C930a28878a5dd49f7c8856473ff452ddbdab8099acd6900047d9b3c6e88edca

URLs: