Trojanized Comm100 Live Chat app installer distributed a JavaScript backdoor

A threat actor used a trojanized installer for the Comm100 Live Chat application to distribute a JavaScript backdoor.

Cybersecurity firm CrowdStrike disclosed details of a supply chain attack that involved the use of a trojanized installer for the Comm100 Live Chat application to distribute a JavaScript backdoor.

Comm100 is a provider of customer service and communication products that serves over 200,000 businesses. At the time of this writing it is unclear how many customers of the company were impacted by the attack.

The attack took place from at least September 27, 2022 through the morning of September 29, 2022. The malicious installer was used to infect organizations in multiple sectors, including the industrial, healthcare, technology, manufacturing, insurance and telecommunications sectors in North America and Europe.

CrowdStrike researchers assess with moderate confidence that the threat actor behind this supply chain attack likely has a China nexus.

The malicious code was delivered via a signed Comm100 installer that was downloadable from the company’s website

“Malware is delivered via a signed Comm100 installer that was downloadable from the company’s website. The installer was signed on September 26, 2022 at 14:54:00 UTC using a valid Comm100 Network Corporation certificate.” reads a report published by CrowdStrike. “CrowdStrike Intelligence can confirm that the Microsoft Windows 7+ desktop agent hosted at https[:]//dash11.comm100[.]io/livechat/electron/10000/Comm100LiveChat-Setup-win.exe that was available until the morning of September 29 was a trojanized installer.”

Comm100 addressed the issue by releasing a clean, updated installer, version 10.0.9.  

The weaponized executable was spotted containing is a JavaScript used to execute a second-stage JavaScript code hosted on a remote server. This second-state Javascript establish a remote shell on the infected system. Attackers also deployed a malicious loader DLL named MidlrtMd.dll that launches an in-memory shellcode to inject an embedded payload into a new instance of notepad.exe.

“The injected payload connects to the malicious C2 domain api.microsoftfileapis[.]com, which resolved to the IP address 8.219.167[.]156 at the time of the incident.” continues the report.

The attackers used the Microsoft Metadata Merge Utility binary to load a the MidlrtMd DLL.

“Furthermore, CrowdStrike Intelligence assesses with moderate confidence that this actor likely has a China nexus. This assessment is based on the presence of Chinese-language comments in the malware, aforementioned tactics, techniques and procedures (TTPs), and the connection to the targeting of online gambling entities in East and Southeast Asia — a previously established area of focus for China-nexus targeted intrusion actors. CrowdStrike Intelligence customers have access to additional reporting related to this actor.”

The report includes Indicators of Compromise (IoCs) for this attack.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Comm100)

[adrotate banner=”5″]

[adrotate banner=”13″]