Threat Research

CrowdStrike Falcon® Platform Identifies Supply Chain Attack via a Trojanized Comm100 Chat Installer – crowdstrike.com

Securonix

CrowdStrike Falcon platform identified a supply chain attack tied to a trojanized Comm100 Live Chat installer, delivering a backdoor via a signed installer. The activity, with a suspected China nexus, involved a second-stage script, loader DLL, and multiple C2 domains, and Comm100 released an updated installer (10.0.9).
#Comm100 #CrowdStrike #Falcon #SupplyChainAttack #TrojanizedInstaller #ChinaNexus #LiveChat

Keypoints

  • The CrowdStrike Falcon platform detected a new supply chain attack during the installation of a chat-based customer engagement platform (Comm100 Live Chat).
  • The attack used a signed Comm100 installer from the vendor’s site that delivered malware to affected systems.
  • A trojanized installer for Comm100 Live Chat was observed across organizations in North America and Europe, spanning multiple sectors.
  • CrowdStrike assesses with moderate confidence a China nexus for the actor behind the activity.
  • Comm100 released an updated installer (10.0.9) in response to responsible disclosure of the compromise.
  • Falcon’s ML/IOA-based detections blocked second-stage activities and provided real-time mitigation, with ongoing threat hunting by OverWatch teams.

MITRE Techniques

  • [T1195] Supply Chain Compromise – The attackers delivered malware via a signed Comm100 installer that could be downloaded from the company’s website as recently as the morning of September 29, 2022. ‘Malware was delivered via a signed Comm100 installer that could be downloaded from the company’s website as recently as the morning of September 29, 2022.’
  • [T1105] Ingress Tool Transfer – The backdoor downloads and executes a second-stage script from URL http[:]//api.amazonawsreplay[.]com/livehelp/collect. ‘The backdoor downloads and executes a second-stage script from URL http[:]//api.amazonawsreplay[.]com/livehelp/collect.’
  • [T1218] Signed Binary Proxy Execution – The attacker loaded a malicious DLL named MidlrtMd.dll executed by a legitimate copy of a Microsoft Metadata Merge Utility (mdmerge.exe) binary via DLL search-order hijacking. ‘executed by a legitimate copy of a Microsoft Metadata Merge Utility (mdmerge.exe) binary via DLL search-order hijacking.’
  • [T1574.001] Hijack Execution Flow: DLL Search Order Hijacking – A loader DLL MidlrtMd.dll was loaded through DLL search-order hijacking using a legitimate mdmerge.exe binary. ‘via DLL search-order hijacking.’
  • [T1059.003] Windows Command Shell – The backdoor provides remote shell functionality by spawning a new instance of cmd.exe. ‘spawning a new instance of cmd.exe.’
  • [T1082] System Information Discovery – The backdoor gathers host information before providing the actor with remote shell functionality. ‘gathers host information before providing the actor with remote shell functionality by spawning a new instance of cmd.exe.’
  • [T1027] Obfuscated/Encrypted Files and Information – The second-stage script consists of obfuscated JS containing a backdoor and RC4-encrypted payload. ‘The second-stage script consists of obfuscated JS containing a backdoor that gathers host information before providing the actor with remote shell functionality by spawning a new instance of cmd.exe.’
  • [T1055] Process Injection – The decrypted payload injects an embedded payload into a new instance of notepad.exe. ‘injected into an embedded payload into a new instance of notepad.exe.’
  • [T1071.001] Web Protocols – C2 communications to api.amazonawsreplay[.]com and related domains. ‘C2 domain-naming convention using Microsoft and Amazon-themed domains along with api. subdomains’ and ‘The backdoor connects to the malicious C2 domain api.microsoftfileapis[.]com.’

Indicators of Compromise

  • [Hash] Trojanized Comm100 application executables – 6f0fae95f5637710d1464b42ba49f9533443181262f78805d3ff13bea3b8fd45, ac5c0823d623a7999f0db345611084e0a494770c3d6dd5feeba4199deee82b86
  • [File] Affected files on disk – C:ProgramDataCisco CoreCoreConnect.exe, C:ProgramDataCisco CoreMidlrtMd.dll
  • [Certificate] Signing certificate thumbprint – d65cdc6b3a6738951f59d4ec8cc7d42f330c6d59
  • [Domain] Command-and-control domains – api.amazonawsreplay.com, api.microsoftfileapis.com
  • [URL] C2 and staging endpoints – http://api.amazonawsreplay.com/collect_log, http://api.amazonawsreplay.com, http://api.amazonawsreplay.com/livehelp/init, http://api.amazonawsreplay.com/livehelp/collect
  • [IP] C2 host – 8.219.167.156
  • [File/Process] Related executable name – Comm100 Live Chat.exe

Read more: https://www.crowdstrike.com/blog/new-supply-chain-attack-leverages-comm100-chat-installer/