The full extent of the attack is currently unknown. With more than 15,000 clients, the Comm100 company offers chat and customer engagement applications to businesses in 51 countries. The malicious file has reportedly been found in various fields in North American and European businesses, including technology and healthcare.
How Did the Attack Happen?
The malware was spread using a Comm100 installer that was downloadable from the company’s website. The installer was signed with a legitimate certificate on September 26.
“CrowdStrike Intelligence can confirm that the Microsoft Windows 7+ desktop agent hosted at hxxps[:]//dash11.comm100[.]io/livechat/electron/10000/Comm100LiveChat-Setup-win[.]exe that was available until the morning of September 29 was a trojanized installer.”, Crowdstrike said about the situation.
A malicious loader DLL called MidlrtMd[.]dll is also used as part of the post-exploitation activity. It starts an in-memory shellcode to inject an embedded payload into a new Notepad process (notepad[.]exe).
Updated Comm100 Installer Available
Despite changes in the delivered payload, the target scope, and the supply chain attack mechanism, CrowdStrike thinks the attack is the work of a China nexus threat actor that has previously targeted several Asian online gambling organizations.
The payload delivered in this activity differs from other malware families previously identified as being controlled by the organization, indicating an increase in the group’s offensive capabilities.
- mdmerge[.]exe: Ac9f2ae9de5126691b9391c990f9d4f1c25afa912fbfda2d4abfe9f9057bdd8c
- DLL (MidlrtMd[.]dll): 6194d57fc3bc35acf9365b764338adefacecfacf5955b87ad6a5b753fb6081f8
- C:\ProgramData\Cisco Core\license: C930a28878a5dd49f7c8856473ff452ddbdab8099acd6900047d9b3c6e88edca
- reg query \”hklm\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\” /v ProductId
For detailed descriptions, check here.