The official installer of the Comm100 Live Chat SaaS application, which is widely used by companies to communicate with customers and website visitors, has been infected with a Trojan.
The malicious version of the application was distributed through the vendor’s website from at least September 26 to September 29, 2022. As a result, organizations from North America and Europe, working in the field of industry, healthcare, technology, manufacturing, insurance and telecommunications, were infected.
Let me remind you that we also reported that the FBI warned about an increase of supply chains attacks, and also that Researcher compromised 35 companies through a new “dependency confusion” attack.
The problem was discovered by researchers from the company CrowdStrike. According to them, the trojanized version of the installer used a valid Comm100 Network Corporation digital signature, so the attack was not immediately detected.
- 0.72 with SHA256 hash 6f0fae95f5637710d1464b42ba49f9533443181262f78805d3ff13bea3b8fd45;
- 0.8 with SHA256 hash ac5c0823d623a7999f0db345611084e0a494770c3d6dd5feeba4199deee82b86.
The researchers say the backdoor was extracting an obfuscated JS script from a hard-coded URL “http[:]//api.amazonawsreplay[.]com/livehelp/collect”, which ultimately gave the attackers remote shell access to the vulnerable machine.
After the compromise, experts observed the deployment of malicious loaders (MidlrtMd.dll) that were used to load payloads in the context of legitimate Windows processes, such as notepad.exe, running directly from memory. The downloader extracted the final payload (license) from the hackers’ control server and used a hard-coded RC4 key to decrypt it.
Crowdstrike experts attribute this attack to Chinese hackers, in particular, a cluster that previously targeted online gambling organizations in East and Southeast Asia.
The researchers reported the problem to Comm100 developers, who have already released a clean installer version 10.0.9. Users are strongly advised to update the Comm100 Live Chat application as soon as possible.
At the moment, representatives of Comm100 do not report how the attackers managed to gain access to its systems and infect the installer with malware.