Supply Chain Attack Targets Customer Engagement Firm Comm100


CrowdStrike is warning of a recently identified supply chain attack involving Canada-based customer engagement software provider Comm100.

CrowdStrike is warning of a recently identified supply chain attack involving Canada-based customer engagement software provider Comm100.

As part of the attack, a trojanized Comm100 Live Chat installer signed with a valid Comm100 Network Corporation certificate on September 26 was distributed from the company’s website from at least September 27 until September 29, 2022. The vendor claims to have more than 15,000 customers across 51 countries.

“The trojanized file was identified at organizations in the industrial, healthcare, technology, manufacturing, insurance and telecommunications sectors in North America and Europe,” CrowdStike says.

The Comm100 installer is an Electron application in which the attackers injected a JavaScript backdoor, within the main.js file of the embedded archive. When executed, the backdoor fetches and runs a second-stage script from an external resource.

The script’s obfuscated code contains a backdoor to harvest system information and to provide the attackers with remote shell functionality.

At the next stage, the attacker deployed additional payloads onto the compromised hosts, including a malicious loader DLL that decrypts and executes in memory a shellcode that injects an embedded payload into a new instance of notepad.exe.

CrowdStrike believes that the attack is the work of a China nexus threat actor that previously targeted various online gambling entities in Asia, despite differences in the delivered payload, in the target scope and the supply chain attack mechanism.

“Despite these differences, CrowdStrike Intelligence assesses that the actor responsible for previously identified online gambling targeting is also likely responsible for these recent incidents,” the cybersecurity firm says.

An updated Comm100 installer has been released to remove the malicious code and all Comm100 customers are advised to download and install the latest version of the application.

Comm100 appears to be investigating the incident, but has not shared any information on the attack. SecurityWeek has emailed the company for clarification on the incident and will update the article as soon as a reply arrives.


By Ionut Arghire on Mon, 03 Oct 2022 15:03:16 +0000
Original link