According to Crowdstrike, the attack used a signed Comm100 desktop agent program for Windows that could be downloaded from the company’s website.
Comm100 is a Canadian company that claims to have over 15,000 clients in 51 countries and provides customer service, live audio/video chat, and customer engagement software for businesses.
As the trojanized installer employed a valid digital signature, antivirus solutions did not issue alerts during its execution, enabling for a covert supply-chain attack.
The infected variant was available from the vendor’s website from at least September 26 until as recently as the morning of September 29, according to the report.
“Malware is delivered via a signed Comm100 installer that was downloadable from the company’s website. The installer was signed on September 26, 2022 at 14:54:00 UTC using a valid Comm100 Network Corporation certificate.” according to the report
Organizations across a variety of industries, including those in North America and Europe’s industrial, healthcare, technology, manufacturing, insurance, and telecommunications sectors, were infected with the malicious installation.
“CrowdStrike Intelligence can confirm that the Microsoft Windows 7+ desktop agent hosted at https[:]//dash11.comm100[.]io/livechat/electron/10000/Comm100LiveChat-Setup-win.exe that was available until the morning of September 29 was a trojanized installer. Comm100 has since released an updated installer (10.0.9). “
The researcher observed post-compromise activities including the deployment of malicious loaders (“MidlrtMd.dll”) that employ the DLL order-hijacking approach to load the payload from within the context of legal Windows processes such as “notepad.exe,” which execute directly from memory.
“The injected payload connects to the malicious C2 domain api.microsoftfileapis[.]com, which resolved to the IP address 8.219.167[.]156 at the time of the incident.” continues the report.
Crowdstrike places a moderate degree of confidence in the claim that the attack was carried out by threat actors linked to China, especially a cluster that had previously been observed attacking Asian online gambling companies (most probably Earth Berberoka aka GamblingPuppet).
Based on some distinctive techniques, such as the use of chat software to spread malware, the use of the Microsoft Metadata Merge Utility binary to load a malicious DLL called MidlrtMd.dll, the code for the final payload containing Chinese comments, and other discoveries, the attribution was linked to China.
The developers of version 10.0.9 supplied a clean installation after the researchers notified Comm100 of the issue. It is strongly advised that users upgrade the Live Chat application right away.
Furthermore, CrowdStrike Intelligence assesses with moderate confidence that this actor likely has a China nexus. This assessment is based on the presence of Chinese-language comments in the malware, aforementioned tactics, techniques and procedures (TTPs), and the connection to the targeting of online gambling entities in East and Southeast Asia — a previously established area of focus for China-nexus targeted intrusion actors. CrowdStrike Intelligence customers have access to additional reporting related to this actor.
Also, the Canadian Center for Cybersecurity issued notification on the attack in order to raise awareness among enterprises that could be using a trojanized version of the Comm100 Live Chat software.