The official installer for the Comm100 Live Chat application, a widely deployed SaaS (software-as-a-service) that businesses use for customer communication and website visitors, was trojanized as part of a new supply-chain attack.
A report from CrowdStrike says that the infected variant was available from the vendor’s website from at least September 26 until as the morning of September 29.
Because the trojanized installer used a valid digital signature, antivirus solutions would not trigger warnings during its launch, allowing for a stealthy supply-chain attack.
Backdoor details
CrowdStrike says that the attackers implanted a JavaScript backdoor into the “main.js” file that is present in the following versions of the Comm100 Live Chat installer:
- 10.0.72 with SHA256 Hash 6f0fae95f5637710d1464b42ba49f9533443181262f78805d3ff13bea3b8fd45
- 10.0.8 with SHA256 Hash ac5c0823d623a7999f0db345611084e0a494770c3d6dd5feeba4199deee82b86
The backdoor fetches a second-stage obfuscated JS script from a hard-coded URL (“http[:]//api.amazonawsreplay[.]com/livehelp/collect”), which gives the attackers remote shell access to the victimized endpoints via the command line.
CrowdStrike observed post-compromise activity such as deploying malicious loaders (“MidlrtMd.dll”) that use the DLL order-hijacking technique to load the payload from within the context of legitimate Windows processes like “notepad.exe”, running directly from memory.
The loader fetches the final payload (“license”) from the C2 and uses a hard-coded RC4 key to decrypt it.
China-based attacker suspected
Crowdstrike attributes the attack with medium confidence to China-based threat actors and, more specifically, a cluster that was previously seen targeting Asian online gambling entities.
This is based on the following characteristic techniques and findings:
- the use of chat software to deliver malware
- the use of the Microsoft Metadata Merge Utility binary to load a malicious DLL named MidlrtMd.dll
- domain-naming convention for the command and control (C2) servers using Microsoft and Amazon-themed domains along with ‘api.’ subdomains
- C2 domains are hosted on Alibaba infrastructure
- the code for the final payload contains comments in Chinese
The researchers reported the problem to Comm100 and the developer released a clean installer, version 10.0.9. Users are strongly recommended to immediately update the Live Chat application.
At this time, Comm100 has not provided an explanation about how the attackers managed to gain access to its systems and poison the legitimate installer.
Yesterday, the Canadian Center for Cybersecurity published an alert about the incident to help raise awareness among organizations that may use a trojanized version of the Comm100 Live Chat product.
In the post, the agency highlights that upgrading to the latest, non-trojanized version isn’t enough to eliminate the risk of compromise because threat actors may have already established persistence.
For more details regarding the signs of infection and the indicators of compromise, check the bottom section of CrowdStrike’s report.
Source: www.bleepingcomputer.com