A menace actor used a trojanized installer for the Comm100 Reside Chat utility to distribute a JavaScript backdoor.
Cybersecurity agency CrowdStrike disclosed particulars of a provide chain assault that concerned using a trojanized installer for the Comm100 Reside Chat utility to distribute a JavaScript backdoor.
Comm100 is a supplier of customer support and communication merchandise that serves over 200,000 companies. On the time of this writing it’s unclear what number of prospects of the corporate had been impacted by the assault.
The assault came about from a minimum of September 27, 2022 by the morning of September 29, 2022. The malicious installer was used to contaminate organizations in a number of sectors, together with the economic, healthcare, expertise, manufacturing, insurance coverage and telecommunications sectors in North America and Europe.
CrowdStrike researchers assess with average confidence that the menace actor behind this provide chain assault probably has a China nexus.
The malicious code was delivered by way of a signed Comm100 installer that was downloadable from the corporate’s web site
“Malware is delivered by way of a signed Comm100 installer that was downloadable from the corporate’s web site. The installer was signed on September 26, 2022 at 14:54:00 UTC utilizing a sound Comm100 Community Company certificates.” reads a report printed by CrowdStrike. “CrowdStrike Intelligence can affirm that the Microsoft Home windows 7+ desktop agent hosted at https[:]//dash11.comm100[.]io/livechat/electron/10000/Comm100LiveChat-Setup-win.exe that was accessible till the morning of September 29 was a trojanized installer.”
Comm100 addressed the difficulty by releasing a clear, up to date installer, version 10.0.9.
The weaponized executable was noticed containing is a JavaScript used to execute a second-stage JavaScript code hosted on a distant server. This second-state Javascript set up a distant shell on the contaminated system. Attackers additionally deployed a malicious loader DLL named MidlrtMd.dll that launches an in-memory shellcode to inject an embedded payload into a brand new occasion of notepad.exe.
“The injected payload connects to the malicious C2 area api.microsoftfileapis[.]com, which resolved to the IP deal with 8.219.167[.]156 on the time of the incident.” continues the report.
The attackers used the Microsoft Metadata Merge Utility binary to load a the MidlrtMd DLL.
“Moreover, CrowdStrike Intelligence assesses with average confidence that this actor probably has a China nexus. This evaluation relies on the presence of Chinese language-language feedback within the malware, aforementioned ways, methods and procedures (TTPs), and the connection to the concentrating on of on-line playing entities in East and Southeast Asia — a beforehand established space of focus for China-nexus focused intrusion actors. CrowdStrike Intelligence prospects have entry to extra reporting associated to this actor.”
The report contains Indicators of Compromise (IoCs) for this assault.
Observe me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Comm100)
