Recent news disclosed that China-based threat actors have been spreading a JavaScript backdoor through a malware-infected Comm100 Live Chat app installer. Comm100 is a company that provides communication solutions and customer service to its clients, serving over 200,000 organisations worldwide.
According to reports on this issue, the threat actors had initially hacked into the firm’s internal systems and used a signed Comm100 desktop agent application for Windows OS that anyone can download from the firm’s official website. This file has been trojanised with a JavaScript backdoor by the attackers and spread across European and North American companies under the healthcare, tech, industrial, insurance, manufacturing, and telecom sectors.
As it remained available for download until September 29, the app installer was signed on September 26 through a valid Comm100 Network Corporation certificate.
The threat actors embedded the Comm100 app installer with a JavaScript backdoor for furtive remote shell capability.
As a part of a post-exploitation activity for the threat actors, they had also deployed a malicious DLL loader, MidlrtMd[.]dll, that helps launch an in-memory shellcode to embed another payload into a new process in a Notepad app.
Experts believe supply chain attacks have been a highly prevalent strategy for threat actors targeting popular software tools and attacking their network of users.
The researchers also associated this ongoing Comm100 campaign with Chinese threat actors because of some Chinese-language remarks they found in the malware. Moreover, the campaign has also targeted online gambling companies from Asia.
However, the security researchers have yet to uncover how the attackers could infiltrate Comm100’s internal system to poison the app installer and spread malware to its downstream users. For now, the researchers conclude that the threat group behind this campaign could be expanding their arsenal of malicious payloads.
Aside from how the firm had been hacked, the threat group’s name has not yet been identified. More updates will be shared about this issue once relevant parties have shared further inputs.
