Probing Weaponized Chat Applications Abused in Supply-Chain Attacks

This report examines the infection chain and the pieces of malware used by malicious actors in supply-chain attacks that leveraged trojanized installers of chat-based customer engagement platforms.

In late September 2022, threat researchers uncovered a supply-chain attack carried out by malicious actors using a trojanized installer of Comm100, a chat-based customer engagement application. Our investigation of the incident revealed that the breadth and depth of the campaign’s impact were greater than what the researchers had initially thought; we also found that more applications and their respective versions had been affected and established that attacks began much earlier than their first reckoning on Sept. 29, 2022.

Data from our telemetry suggested that some versions of a similar customer engagement software, LiveHelp100 has also been weaponized. LiveHelp100 shares the same office address as Comm100, and both share one director. Findings from our investigation that began on Oct. 14, 2022  indicated that the client application had been loading backdoor scripts from the malicious actor’s infrastructure since Aug. 8, 2022. It is also worth noting that we were able to identify a JavaScript backdoor injected in the web application of LiveHelp100 as early as February 2022. We have sent messages to LiveHelp100 but have received no reply.

We could not determine, however, if the trojanized versions of LiveHelp100 were delivered using a similar supply-chain attack on its official website as Comm100 because the installers were not available when we were conducting our research. Our telemetry detected requests made by some of LiveHelp100’s clients to load JavaScript backdoors, likely the same ones that we had previously observed in the supply-chain attack on the Comm100 application.  This prompted us to examine the infection chain more closely, enabling us to identify additional pieces of malware that the malicious actors employed in their campaign.

Interestingly, we also discovered that some of the victims that had been targeted with the more advanced stages of the malware deployment were personnel of online gambling platforms that have access to the administration panel of their respective websites, suggesting that this might also be one of the campaign’s objectives.

Analysis of JavaScript backdoor

The Windows and macOS versions of the LiveHelp100 client application are developed with the Electron.js runtime framework. Data from our telemetry revealed two versions of this application, 11.0.2 and 11.0.3, that have been attempting to communicate with the following URL since August 8, 2022:

  •       hxxp[:]//service[.]livehelpl00service[.]com/livehelp/collect

The payload returned from the URL is an obfuscated JavaScript code with backdoor functions for execution by the trojanized Electron.js applications. The URL format and backdoor functions are the same as those mentioned in the threat researchers’ report on the Comm 100 attack that we cited earlier. The backdoor sends the following victim information using HTTP POST request to initiate the communication with the command-and-control (C&C) server 8[.]219[.]76[.]37:

  1. Computer name
  2. Username
  3. The process list retrieved from tasklist command
  4. The product ID value stored in the registry
  5. The email information stored in a data file of the LiveHelp100 application

Figure 1. The script used to collect the victim’s information (deobfuscated)

Figure 1. The script used to collect the victim’s information (deobfuscated)

The JavaScript backdoor receives commands from the C&C server. It supports two commands: first, the shell command to allow malicious actors to run a shell command in a newly spawned cmd.exe process, and second, the execute command to allow them to execute any JavaScript code on the victims’ machines.

Figure 2. The function used to execute shell commands and the results returned by the command (deobfuscated)

Figure 2. The function used to execute shell commands and the results returned by the command (deobfuscated)

We noticed that victims had been instructed to load a second-stage JavaScript payload from this URL:

  •       hxxp[:]//service[.]livehelpl00service[.]com/livehelp/init

The second-stage script is responsible for trojanizing the original LiveHelp100 application and dropping the malware for the next phase of the infection.

The second-stage script checks the resources folder of the LiveHelp100 application. This folder is used for storing the main Electron.js application code. When it determines that the LiveHelp100 application has not been trojanized yet, it proceeds to do the following and creates files in the application’s resources folder:

  1. Copies all Node.js modules inside the LiveHelp100 ASAR package that contains the main application scripts
  2. Creates a new package.json file to set the main Electron.js script to ./index.js
  3. Creates the script index.js to load the aforementioned JavaScript backdoor, and then continues with the original execution of the LiveHelp100 application

Figure 3. A screenshot of the index.js script to load backdoors and the ASAR package of the LiveHelp 100 application (deobfuscated)

Figure 3. A screenshot of the index.js script to load backdoors and the ASAR package of the LiveHelp 100 application (deobfuscated)

After trojanizing the application, the script drops multiple files and executes them to load the backdoor from the next stage of the infection routine. We discuss our analysis of the backdoor in the next section.

Figure 4. The script used to drop the backdoor files on the victims’ machines (deobfuscated)

Figure 4. The script used to drop the backdoor files on the victims’ machines (deobfuscated)

Analysis of the Executable Backdoor

The second-stage script drops three files. The files include a legitimate and signed executable, WebAccess.exe, a DLL file that is a decryptor, midlrtmd.dll, and an encrypted binary file, Copyright.txt. The script executes the executable file to sideload the decryptor DLL file. The DLL file will then decrypt Copyright.txt and execute the decrypted payload for the first stage of the executable payload.

The goal for the first stage is to download and execute the payload for the second stage. The second stage is a refactored code with functions similar to the malware discussed in this report. It also collects various machine information, along with loading additional modules from URLs listed here:

  •        <C&C>:<port>/down/case/log.bsh
  •        <C&C>:<port>/down/keeper/WindowsPlayer
  •        <C&C>:<port>/down/keeper/midlrtmd
  •        <C&C>:<port>/down/keeper/log.bsh

As of this writing, the server was no longer accessible, so no payload was served. We traced the C&C server to static-files[.]livelyhellp[.]chat:888. After observing that the malicious actor’s use of the file name log.bsh  was unique, we tried to find out more about it. Our search led us to backdoors written in Golang language, suggesting a possible link to the LiveHelp100 campaign.

We also discovered a more recent active chain, deployed between Oct. 8 and 12, 2022. We observed that victims infected with the trojanized LiveHelp100 application were instructed to download and execute the following files from delivery server s[.]livelyhellp[.]chat:

  • hxxp[:]//<C&C>:<port>/sugrec
  • hxxp[:]//<C&C>:<port>/load.action/FixU
  • hxxp[:]//<C&C>:<port>/load.action/html.xml
  • hxxp[:]//<C&C>:<port>/load.action/kdump64

This new chain starts with three files: first, a legitimate and signed rcmdhelper.exe with DLL-sideloading vulnerability, and then kdump64.dll, which is the decryptor and loader, and lastly, html.xml, which contains the encrypted payload for the first stage of the executable backdoor.

Figure 5. Backdoor infection chain of the trojanized application

Figure 5. Backdoor infection chain of the trojanized application

First stage

Malicious actors use this stage as a downloader of the next stage using sockets. The C&C server name is encrypted by simply adding a constant value to each byte of the server’s name.

Figure 6. Encrypted C&C server name

Figure 6. Encrypted C&C server name

The communication to the C&C server in this case is unencrypted and only contains the command number, 0x09, to download the second stage.

Figure 7. Packet sent to C&C that contains a request to submit second stage payload

Figure 7. Packet sent to C&C that contains a request to submit second-stage payload

The payload received from the C&C server contains the size of the payload (first DWORD = 0x7a200), followed by the second stage payload itself, using 0x4d 0x5a as PE EXE marker.

Figure 8. Packet received from the C&C server contains payload length followed by second stage executable binary, with 0x4d 0x5a as PE EXE marker

Figure 8. Packet received from the C&C server contains payload length followed by second-stage executable binary, with 0x4d 0x5a as PE EXE marker

Second stage

Notably, the second stage of the infection chain is more complex and contains more functions:

1.      Thread with anti-debugging feature; exits if debugger is detected.
2.      Thread to repetitively delete files from %LOCALAPPDATA%ProgramsComm100LiveChatresourcesapp directory
3.      Gets machine information, such as the following:

  • IP address
  • Device name
  • Username
  • Running process name
  • Windows product name
  • Events with event ID 6005 (the event log service was started), events with Event ID 6006 (the event log service was stopped)
  • Any TCP endpoints listening on ports 8090, 8091, 8092, 8093, 8094, 8095, 8096
  • Any TCP endpoint established to 8.218.67.52:18024
  • Antivirus product name
  • If Skype or Telegram is installed
  • Number of connected monitors
  • Product ID value from Windows registry

The machine information is then sent as a binary structure in unencrypted form to the C&C server.

4.      Based on the response from the C&C server, the second stage can run some of the following features:

  • Get the availability of the local ports from 8090 to 8096. The function tries to bind to the local host ports to prevent them from being used by another program, based on web browsers installed on the machine. If this task is successful, it means that the given port is available for use in remote browser debugging. For this purpose, it detects the following browsers: 0=”极速浏览器X” (translated as “360 fast browser X”); 1=”360″, 2=”Microsoft Edge”, 3=”QQ”, 4=”傲游” (translated as “Maxthon browser”); 5=”Chrome”, 6=”Opera” and if found, reports if ports 8090 to 8096 are available or not.
  •  
  • Steal browser history and cookies files:

Opera SoftwareOpera StableHistory -> C:ProgramDataohis
360ChromeXChromeUser DataDefaultCookies -> C:ProgramData3phis
360se6User DataDefaultCookies -> C:ProgramData3shis
MicrosoftEdgeUser DataDefaultHistory -> C:ProgramDataehis
TencentQQBrowserUser DataDefaultHistory -> C:ProgramDataqhis
GoogleChromeUser DataDefaultHistory -> C:ProgramDatachis
MaxthonApplicationUser DataDefaultHistory -> C:ProgramDatamhis

  • Modify browser shortcuts:

Search shortcuts in AppDataRoamingMicrosoftInternet ExplorerQuick Launch, C:ProgramDataMicrosoftWindowsStart MenuPrograms, C:UsersPublicDesktop; Desktop, AppDataRoamingMicrosoftInternet ExplorerQuick LaunchUser PinnedTaskBar, and modify them to include parameter “–remote-debugging-port=<>”

When a Chromium-based browser is run with remote debugging enabled, accessing the specified port presents a list of tabs and URLs that have been opened there. This allows attackers to spy on the victims’ current browsing activities.

Figure 9. Chromium with remote debugging port specified; victim opened Twitter in one of their tabs

Figure 9. Chromium with remote debugging port specified; victim opened Twitter in one of their tabs

a.      Download, decrypt, and load http: //<C&C>:<port>/down/maisui module
b.      Download, decrypt, and load http:// <C&C>:<port>/down/webtoken module
c.       Download, decrypt, and load http:// <C&C>:<port>/down/webcallinfo module
d.      Download, decrypt, and load http:// <C&C>:<port>/down/webscreen module
e.      Download, decrypt, and load update from http:// <C&C>:<port>/down/update/
f.        Download, decrypt, and load from download directory http:// <C&C>:<port>/down/

In our testing scenario, we only observed downloads of the update from http:// <C&C>:<port>/down/update/7.zip.

The C&C server and the port had the following value, hard-coded and encrypted in the second-stage executable binary: files[.]amazonawsgarages[.]com:888.

The update packet received from the C&C server contains the update file name 7.zip, downloaded from /down/update/ directory. This file path was used so that the payload can be saved to C:UsersPublicFolder.zip. The packet contains an update file that indicates where it is to be downloaded from and where it will be saved. After downloading, the contents of the archive are extracted and saved as a file, with the information also contained in the packet. The name of the file to be executed is saved to C:UsersPublicFolderRcmdHelper.exe. The packet starts with its length, DWORD 0x384, followed by internal command ID, update = DWORD 0x3ef, followed by the command data itself.

Figure 10. Packet from C&C server instructing the client to download and run an update

Figure 10. Packet from C&C server instructing the client to download and run an update

Figure 11. GET request to download the update, with the user-agent name misspelled as “Chrorne” by the attackers

Figure 11. GET request to download the update, with the user-agent name misspelled as “Chrorne” by the attackers

Figure 12. Contents of update package

Figure 12. Contents of update package

Update

The updated package is a modified version of the first-stage loader. Again, it uses three files: a legitimate and signed EXE file with a sideloading vulnerability, a DLL file as a decryptor and loader, and a binary file with encrypted content.

The decryptor is now modified to execute the following:

1.      Load encrypted first-stage data from the binary file if it exists and decrypt it using a custom RC4-like algorithm. The password is hard-coded in the DLL file.

Figure 13. Code for loading encrypted first-stage data from the binary file

Figure 13. Code for loading encrypted first-stage data from the binary file (click on image to enlarge)

Figure 13. Code for loading encrypted first-stage data from the binary file

2.      Encrypt the data again, this time with password derived from the computer name, then store encrypted data in registry and delete the third binary file.

Figure 14. Code for encrypting the data using the password from the computer name

Figure 14. Code for encrypting the data using the password from the computer name

3.      For succeeding executions, read the encrypted first-stage data from the registry and run it.

Modules

We found the following modules that were developed using Golang. The downloaded modules are encrypted with a simple XOR algorithm, starting from the end of the file and applying XOR (n-1)th byte with nth one.

Table 1. Additional modules written in Golang
Name Function
maisui SOCKS5 proxy
webtoken Skype and Telegram stealer
webcallinfo Info and file stealer
webscreen Take screenshot

The SOCKS5 proxy module listens on the local host on port 61182.

Webcallinfo steals various machine information such as the current user, public IP address, private IP address, virtual private network (VPN) IP address, region, MAC address, Wi-Fi information, device name, identities, chat applications installed (such as Telegram or Skype), and browser bookmarks, password, and history – and saves them to a file called 机器信息.html, translated as “machine information.html.”. It also takes screenshots and  steals files from directories Desktop, 桌面文件, translated as “Desktop files” as well as Downloads, 下载文件, translated as “downloads.” It compresses all stolen information into a ZIP file and uploads the archive to Aliyun’s or Alibaba’s cloud bucket called “qiongdechitu” or “窮的吃土,” loosely translated as, “He is poor, spent all his money, needs to eat dust for the rest of the month.”

Figure 15. Cloud bucket assigned with a funny Chinese name, “qiongdechitu” loosely translated as  “He is poor, spent all his money, needs to eat dust for the rest of the month”

Figure 15. Cloud bucket assigned with a funny Chinese name, “qiongdechitu” loosely translated as “He is poor, spent all his money, needs to eat dust for the rest of the month”

For modules to access Object Storage Service (OSS) and the assigned bucket, the Security Token Service (STS) needs to generate temporary credentials to grant access to users. These temporary credentials are obtained by sending a GET request to another hard-coded URL. These credentials are then used to communicate with the appropriate bucket.

Figure 16. The result of a GET request with temporary credentials to the Aliyun bucket

Figure 16. The result of a GET request with temporary credentials to the Aliyun bucket

The webtoken module steals Skype cookies, steals tg and tdata directories from Telegram and uploads them in the same way as webcallinfo does.

The webscreen module takes screenshots and uploads them also in the same manner as webcallinfo.

Key finding: Establishing the onset of the attacks in February 2022

As previously mentioned, a notable finding in our investigation is that we were able to determine that the malicious actors behind this campaign had been successfully compromising the LiveHelp100 web application since February 2022. The injected code had been instructed to load JavaScript from the following URL:

  • hxxps[:]//analyaze[.]s3amazonbucket[.]com/livechat/dll/tinymce.share.js

During our research, the URL returned a JavaScript backdoor that is different from the aforementioned one. This backdoor communicates with the C&C server using WebSocket. The victims’ information, including their LiveHelp100 ID and their system and browser information, was sent to the C&C server to initialize communication. After establishing the WebSocket connection, the backdoor also sent the browser’s cookie, a referrer, and a fingerprint value calculated as the MD5 hash of the victim’s system information. This backdoor allows the attacker to execute arbitrary JavaScript codes received from the C&C server.

Figure 17. The JavaScript backdoor initializes WebSocket connection

Figure 17. The JavaScript backdoor initializes WebSocket connection

Conclusion

Our investigation of the supply-chain attack on the LiveHelp100 software revealed the malicious actor’s sophisticated use of the trojanized Electron.js application to launch the JavaScript backdoor that has enabled the advanced stages of payload delivery. We also discovered multiple malware modules that have been stealing sensitive information from its targets. A noteworthy observation is that the abuse of the LiveHelp100 software is the third of its kind that we have examined of late. We have published two reports that discussed the abuse of other applications that were also based on the Electron framework. The first report, published in August 2022, highlights the research findings on the threat actor Iron Tiger, which also abused an Electron-based chat software for its supply-chain attack. The second report, published in October 2022, focuses on how Water Labbu weaponized an application based on Electron.js to steal cryptocurrency from scammers.

Indicators of Compromise (IOCs)

The Indicators of Compromise can be found here. 

Source: https://www.trendmicro.com/en_us/research/22/l/probing-weaponized-chat-applications-abused-in-supply-chain-atta.html