The official installer for the Comm100 Live Chat Option that businesses use for customer communication has been trojanized as part of a new supply-chain attack. Researchers at CrowdStrike reported that the infected variant became available on September 26 and was active until September 29. The trojanized installer used a valid digital signature which would have stopped most anti-virus solutions from being able to identify it as malicious. The attacker implanted a JavaScript backdoor in the software which runs when downloaded. This backdoor then fetches a second stage obfuscated script from a hard coded URL, which gives the attackers remote shell access to the infected endpoints via command line. Researchers have attributed this attack to a Chinese speaking threat group, and more specifically a cluster that has been reportedly targeting the Asian gambling community.
Analyst Notes
CrowdStrike informed Comm100 of the attack on their software and the company immediately released a clean version on their website. It is recommended that anyone with the software installed make sure they have the latest version so that they remain protected. Companies should look into a service, such as Binary Defense’s Managed Detection and Response, that can look for abnormalities on endpoint and within networks in order to identify threats capable of bypassing traditional anti-virus.
https://www.bleepingcomputer.com/news/security/live-support-service-hacked-to-spread-malware-in-supply-chain-attack/
