Threat Actor Distributed Malware Via Live Chat Installer Containing Trojan

A threat actor recently delivered malware via an installer containing a Trojan horse for a legitimate Comm100 desktop-based live chat application that is used by organizations around the world.

The signed and trojan-protected installer was available for download on the official Comm100 website at least from September 27 until the morning of September 29, according to CrowdStrike in a report first reported by Reuters. Comm100, which makes customer engagement software that powers live chat, chatbots, ticketing, social media and messaging tools, removed the Trojan installer on September 29 and released some an updated (10.0.9).

“The file containing a Trojan horse has been identified in organizations in the industrial, healthcare, technology, manufacturing, insurance and telecommunications sectors in North America and Europe,” according to CrowdStrike researchers in a Friday analysis.

While further information on the specific number of victimized organizations was not disclosed, CrowdStrike researchers said that Comm100 has more than 15,000 customers in 51 countries, “so the possibility of customers and industries being affected is widespread”.

The trojanized installer in question was signed on September 26 with a valid certificate from Comm100 Network Corporation. Researchers discovered that the installer contains a JavaScript backdoor that would then download and execute a second-stage script, consisting of obfuscated JavaScript that provides the threat actor with remote shell functionality. Researchers also observed what they believed to be likely follow-up activity, where the threat actor installed additional malicious files on the impacted host, including a malicious loader DLL. This DLL then executed an in-memory shellcode payload and injected an embedded payload into a new instance of notepad.exe, which connected to a C2 domain controlled by the attacker. The malicious loader DLL was executed using a legitimate Microsoft Metadata Merge Utility (mdmerge.exe) tool via the DLL search order hack, the researchers said.

“The payload delivered in this supply chain attack differs from payloads identified in previous incidents related to the same actor, targeting online gambling entities in Asia,” researchers said. However, they stated that “the recent activity differs from the activity targeting online gambling in both the target scope and the supply chain attack mechanism providing a Trojan horse application through the Comm100 website”.

The researchers also assessed with moderate confidence that the attacker is “likely” a China nexus threat actor, due in part to the Chinese-language comments in the malware, its tactics, and connection to intelligence entities. online gambling in East and Southeast Asia, according to them. is a previously established target area of ​​intrusion actors from the China nexus. According to CrowdStrike, ratings are made with moderate confidence when they are based on information “whose source is credible and plausible, but not in sufficient quantity or sufficiently substantiated to warrant a higher level of confidence”.

Comm100, which is based in Canada, did not immediately respond to a request for comment. According to CrowdStrike, Comm100 said it was performing a root cause analysis to obtain additional information about the incident.

Comments are closed.