Comm100 installer delivered backdoor
A validly signed Comm100 Live Chat Windows installer downloaded from the vendor website carried a JavaScript backdoor. The payload staged remote shell code and follow-on loaders against customers in several sectors.
Story
Comm100 was a live-chat and customer engagement vendor. Its Windows Agent Console was a trusted desktop application for support staff. In late September 2022, that trust boundary failed: customers could download a signed installer from Comm100 infrastructure that contained a backdoor.
CrowdStrike observed the attack from at least September 27 through the morning of September 29. The trojanized installer was signed on September 26 with a valid Comm100 Network Corporation certificate, so the package looked like normal vendor software. The Canadian Centre for Cyber Security later said the installer was last reported infected and accessible for download on September 29.
The malicious 10.0.8 Electron application contained a JavaScript backdoor in main.js inside the embedded ASAR archive. It downloaded a second-stage script from api.amazonawsreplay.com, gathered host data, and exposed remote shell functionality through cmd.exe. Follow-on activity dropped MidlrtMd.dll, used DLL search-order hijacking with mdmerge.exe, decrypted a license payload with a hard-coded RC4 key, and injected shellcode into notepad.exe.
CrowdStrike assessed with moderate confidence that the actor likely had a China nexus, based on malware comments, C2 naming, Alibaba-hosted infrastructure, and overlap with targeting of online gambling entities in East and Southeast Asia. The Cyber Centre reported active compromise and advised more than simple product removal. Comm100 published a clean 10.0.9 installer and remediation guidance for 10.0.8.
Affected Artifacts
- Observed
- 2022-09-27 to 2022-09-29
- Fixed
- 10.0.9
- Hashes
-
- sha256:6f0fae95f5637710d1464b42ba49f9533443181262f78805d3ff13bea3b8fd45
- sha256:ac5c0823d623a7999f0db345611084e0a494770c3d6dd5feeba4199deee82b86
- Evidence
- distribution: dash11.comm100.io/livechat/electron/10000/Comm100LiveChat-Setup-win.exe, distribution: comm100.com/livechat/platform/desktopapp/Comm100LiveChatSetup.exe, mirror: crowdstrike.com/en-us/blog/new-supply-chain-attack-leverages-comm100-chat-installer, mirror: virustotal.com/gui/file/6f0fae95f5637710d1464b42ba49f9533443181262f78805d3ff13bea3b8fd45 , +17 more
- CrowdStrike reported malicious 10.0.72 had the same backdoor but was not observed in the wild; Cyber Centre listed both 10.0.72 and 10.0.8.
- The installer was signed on 2022-09-26 14:54:00 UTC with a valid Comm100 Network Corporation certificate.
Incident Context
- Motive
- Espionage Initial Access
- Attribution
- Group
- Cause
- Website Compromise
- Transitive
- No
- Actor
- China-nexus threat actor
- User Impact
- 1000
External References
- CrowdStrike Falcon Platform Identifies Supply Chain Attack via a Trojanized Comm100 Chat Installercrowdstrike.com
- Supply chain compromise impacting Comm100 Live Chat software - Update 1cyber.gc.ca
- Live support service hacked to spread malware in supply chain attackbleepingcomputer.com
- Trojanized Comm100 Live Chat app installer distributed a JavaScript backdoorsecurityaffairs.com
- Comm100 Chat Provider Hacked To Spread Malware In Supply Chain Attack - Active IOCsrewterz.com
- Commercial chat provider hijacked to spread malware in supply chain attacktherecord.media
- Comm100 Installer Abused in Supply Chain Attack to Distribute Malwaresocradar.io
Source record: proprietary/com100/meta.yaml