Rewterz Threat Alert – Comm100 Chat Provider Hacked To Spread Malware In Supply Chain Attack – Active IOCs

Severity

High

Analysis Summary

A threat actor with ties to China has been attributed to a novel supply chain attack involving the deployment of a trojanized installer for the Comm100 Live Chat application to distribute a JavaScript backdoor

According to Crowdstrike, the attack used a signed Comm100 desktop agent program for Windows that could be downloaded from the company’s website.

Comm100 is a Canadian company that claims to have over 15,000 clients in 51 countries and provides customer service, live audio/video chat, and customer engagement software for businesses.

As the trojanized installer employed a valid digital signature, antivirus solutions did not issue alerts during its execution, enabling for a covert supply-chain attack.

The infected variant was available from the vendor’s website from at least September 26 until as recently as the morning of September 29, according to the report.

“Malware is delivered via a signed Comm100 installer that was downloadable from the company’s website. The installer was signed on September 26, 2022 at 14:54:00 UTC using a valid Comm100 Network Corporation certificate.” according to the report

Organizations across a variety of industries, including those in North America and Europe’s industrial, healthcare, technology, manufacturing, insurance, and telecommunications sectors, were infected with the malicious installation.

“CrowdStrike Intelligence can confirm that the Microsoft Windows 7+ desktop agent hosted at https[:]//dash11.comm100[.]io/livechat/electron/10000/Comm100LiveChat-Setup-win.exe that was available until the morning of September 29 was a trojanized installer. Comm100 has since released an updated installer (10.0.9). “

It was discovered that the weaponized executable contained JavaScript, which is utilized to run JavaScript code stored on a remote server. This Java script’s second stage creates a remote shell on the compromised system.

The researcher observed post-compromise activities including the deployment of malicious loaders (“MidlrtMd.dll”) that employ the DLL order-hijacking approach to load the payload from within the context of legal Windows processes such as “notepad.exe,” which execute directly from memory.

“The injected payload connects to the malicious C2 domain api.microsoftfileapis[.]com, which resolved to the IP address 8.219.167[.]156 at the time of the incident.” continues the report.

Crowdstrike places a moderate degree of confidence in the claim that the attack was carried out by threat actors linked to China, especially a cluster that had previously been observed attacking Asian online gambling companies (most probably Earth Berberoka aka GamblingPuppet).

Based on some distinctive techniques, such as the use of chat software to spread malware, the use of the Microsoft Metadata Merge Utility binary to load a malicious DLL called MidlrtMd.dll, the code for the final payload containing Chinese comments, and other discoveries, the attribution was linked to China.

The developers of version 10.0.9 supplied a clean installation after the researchers notified Comm100 of the issue. It is strongly advised that users upgrade the Live Chat application right away.

Furthermore, CrowdStrike Intelligence assesses with moderate confidence that this actor likely has a China nexus. This assessment is based on the presence of Chinese-language comments in the malware, aforementioned tactics, techniques and procedures (TTPs), and the connection to the targeting of online gambling entities in East and Southeast Asia — a previously established area of focus for China-nexus targeted intrusion actors. CrowdStrike Intelligence customers have access to additional reporting related to this actor.

Also, the Canadian Center for Cybersecurity issued notification on the attack in order to raise awareness among enterprises that could be using a trojanized version of the Comm100 Live Chat software.

Impact

• Malware Distribution

Indicators of Compromise

MD5

• 7494b19cc05bec964b2c97de7fa1e755
• b5c5f48795605a39ed257a0cc06bddf1
• b605653b233a3b39b76e8167aaa68dd2

SHA-256

• 6f0fae95f5637710d1464b42ba49f9533443181262f78805d3ff13bea3b8fd45
• ac5c0823d623a7999f0db345611084e0a494770c3d6dd5feeba4199deee82b86
• 6194d57fc3bc35acf9365b764338adefacecfacf5955b87ad6a5b753fb6081f8

SHA-1

• 870711fc373cbce08275ef6fa86d6761e9840a1b
• a9180ed7de53b4da4a9fd0059a39484297fdbcdd
• add0ff5a871870c41b8d406b165d676495760c85

URL

• http[:]//api[.]amazonawsreplay[.]com/collect_log
• http[:]//api[.]amazonawsreplay[.]com/
• http[:]//api[.]amazonawsreplay[.]com/livehelp/init
• http[:]//api[.]microsoftfileapis[.]com/
• https[:]//selfhelp[.]windowstearns[.]com/
• http[:]//api[.]amazonawsreplay[.]com/livehelp/collect

Remediation

• Users are strongly advised to upgrade the Live Chat application as soon as possible.
• Also, check the latest published alert of the Canadian Center about the incident to help raise awareness among organizations here.
• Block all threat indicators at your respective controls.
• Search for Indicator of compromise (IOCs)  in your environment utilizing your respective security controls
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Maintain daily backups of all computer networks and servers.
• Passwords – Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• WAF – Web defacement must be stopped at the web application level. Therefore, set up a Web Application Firewall with rules to block suspicious and malicious requests.
• Patch – Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Secure Coding – Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• 2FA – Enable two-factor authentication.
• Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a multi-layered protection is necessary to secure vulnerable assets
• Security Best Practices – Do not open emails and attachments from unknown or suspicious sources.