Threat Research

Probing Weaponized Chat Applications Abused in Supply-Chain Attacks

Securonix

Trend Micro’s report reveals a supply-chain campaign that trojanized Comm100 and LiveHelp100 installers to deploy a JavaScript backdoor and multiple modules within Electron-based chat apps. The attackers used HTTP and WebSocket C2 channels to exfiltrate data, control compromised hosts, and push updated payloads across the infection chain. #Comm100 #LiveHelp100 #IronTiger #WaterLabbu #ElectronJS #WebSocket #Aliyun #qiongdechitu

Keypoints

  • Attackers used trojanized installers of Comm100, revealing a broader impact beyond the initial Sept 2022 discovery and showing earlier activity.
  • LiveHelp100 was also weaponized, with backdoor loading from attacker infrastructure since Aug 8, 2022 and a JavaScript backdoor observed as early as February 2022.
  • The infection chain includes a second-stage script that trojanizes LiveHelp100 by modifying resources (ASAR), creating a new main script, and loading a JavaScript backdoor via HTTP.
  • A later October 2022 chain introduces rcmdhelper.exe with DLL sideloading, dropping kdump64.dll and Copyright.txt, and loading additional modules written in Golang (maisui, webtoken, webcallinfo, webscreen).
  • The campaign exfiltrates extensive machine data (IP, device, user, processes, Windows product, event logs, browser/Skype/Telegram presence, monitors) to a C2 server and can load extra modules from remote URLs.
  • Offshoots include anti-debugging, file deletion, port checks for remote debugging, and browser data theft (cookies/history) with browser shortcut modifications to facilitate remote debugging.

MITRE Techniques

  • [T1195] Supply Chain Compromise – ‘a supply-chain attack carried out by malicious actors using a trojanized installer of Comm100, a chat-based customer engagement application.’
  • [T1071.001] Web Protocols – ‘The backdoor sends the following victim information using HTTP POST request to initiate the communication with the command-and-control (C&C) server 8[.]219[.]76[.]37.’
  • [T1113] Screen Capture – ‘The webscreen module takes screenshots and uploads them also in the same manner as webcallinfo.’
  • [T1059.007] JavaScript – ‘The second-stage script … The backdoor receives commands from the C&C server. It supports two commands: first, the shell command to allow malicious actors to run a shell command in a newly spawned cmd.exe process, and second, the execute command to allow them to execute any JavaScript code on the victims’ machines.’
  • [T1082] System Information Discovery – ‘Get machine information, such as the following: IP address, Device name, Username, Running process name, Windows product name, Events with event IDs 6005, 6006 … The machine information is then sent as a binary structure in unencrypted form to the C&C server.’
  • [T1555.003] Credentials from Web Browsers – ‘Steal browser history and cookies files’ (and related browser data accessed by modules such as webcallinfo/webtoken).
  • [T1574.001] Hijack Execution Flow: DLL Side-loading – ‘The second-stage script drops three files … The script executes the executable file to sideload the decryptor DLL file.’
  • [T1070.004] File Deletion – ‘A thread to repetitively delete files from %LOCALAPPDATA%ProgramsComm100LiveChatresourcesapp directory.’
  • [T1041] Exfiltration Over C2 Channel – ‘The machine information is then sent as a binary structure in unencrypted form to the C&C server.’
  • [T1112] Modify Registry – ‘Encrypt the data again, this time with password derived from the computer name, then store encrypted data in registry and delete the third binary file.’
  • [T1105] Ingress Tool Transfer – ‘Download, decrypt, and load from the URLs …down/maisui module’, ‘…down/webtoken module’, ‘…down/webcallinfo module’, etc.

Indicators of Compromise

  • [Domain] C2 and delivery domains – service.livehelpl00service.com (collect, init)
  • [Domain] LiveHelp/related domains – s.livelyhellp.chat, livelyhellp.chat, static-files.livelyhellp.chat
  • [Domain] Cloud/OSS domains – analyaze.s3amazonbucket.com, files.amazonawsgarages.com:888, qiongdechitu (Aliyun bucket)
  • [IP] C2 server – 8.219.76.37
  • [IP] Additional C2/loader endpoints – 8.218.67.52:18024
  • [URL] Initial backdoor JavaScript loader – analyaze.s3amazonbucket.com/livechat/dll/tinymce.share.js
  • [Domain] Backup/load update endpoints – static-files.livelyhellp.chat:888
  • [File] rcmdhelper.exe, kdump64.dll, Copyright.txt, 7.zip, html.xml, log.bsh (trojanized components and payloads)
  • [File] C:UsersPublicFolder.zip (update payload packaging reference)

Read more: https://www.trendmicro.com/en_us/research/22/l/probing-weaponized-chat-applications-abused-in-supply-chain-atta.html