A threat actor recently delivered malware through a trojanized installer for a legitimate desktop-based live chat application from Comm100 that is used by organizations globally.
The signed, trojanized installer was available for download from Comm100’s official website from at least Sept. 27 through the morning of Sept. 29, according to CrowdStrike in a report first reported on by Reuters. Comm100, which makes customer engagement software that powers live chat, chatbots, ticketing, social media and messaging tools, removed the trojanized installer on Sept. 29 and released an updated one (10.0.9).
“The trojanized file was identified at organizations in the industrial, healthcare, technology, manufacturing, insurance and telecommunications sectors in North America and Europe,” according to CrowdStrike researchers in a Friday analysis.
While further information on the specific number of victim organizations was not disclosed, CrowdStrike researchers said Comm100 has over 15,000 customers across 51 countries, “so the possibility of affected customers and industries is widespread.”
The trojanized installer in question was signed on Sept. 26 with a valid Comm100 Network Corporation certificate. Researchers found that the installer contains a Javascript backdoor that then would download and execute a second-stage script, consisting of obfuscated JavaScript that provides the threat actor with remote shell functionality. Researchers also observed what they believed was likely follow-on activity, where the threat actor installed additional malicious files to the impacted host, including a malicious loader DLL. This DLL then executed a shellcode payload in memory and injected an embedded payload into a new instance of notepad.exe, which connected to an attacker-controlled C2 domain. The malicious loader DLL was executed using a legitimate Microsoft Metadata Merge Utility (mdmerge.exe) tool through DLL search-order hijacking, said researchers.
“The payload delivered in this supply chain attack differs from payloads identified in previous incidents related to the same actor, targeting online gambling entities in Asia,” said researchers. However, they said “the recent activity differs from activity targeting online gambling in both the target scope and the supply chain attack mechanism delivering a trojanized app via Comm100’s website.”
Researchers also assessed with moderate confidence that the attacker is “likely” a China-nexus threat actor due in part to the Chinese-language comments in the malware, its tactics and the connection to online gambling entities in East and Southeast Asia, which they said is a previously established target area of China-nexus intrusion actors. According to CrowdStrike, assessments are made with moderate confidence when they are based on information that is “credibly sourced and plausible, but not of sufficient quantity or corroborated sufficiently to warrant a higher level of confidence.”
Comm100, which is based in Canada, did not immediately respond to a request for comment. According to CrowdStrike, Comm100 has indicated it is performing a root cause analysis to obtain additional information on the incident.