Monday, February 10, 2025
HomeMalwareComm100 Live Chat App Hijacked in Supply Chain Attack to Deliver Malware

Comm100 Live Chat App Hijacked in Supply Chain Attack to Deliver Malware

Published on

SIEM as a Service

Follow Us on Google News

As part of a new supply-chain attack being carried out against the Comm100 Live Chat application, the official installer for the application was trojanized.

Comm100 Live Chat application is a popular Canadian SaaS application that is used extensively by businesses to interact with website visitors and to communicate with customers.

The cybersecurity analysts at CrowdStrike claimed that from September 26 to 29 the trojanized variant was available on the vendor’s website.

There was a valid digital signature attached to the trojanized installer. A stealthy supply chain attack would not be disrupted if anti-virus solutions are not triggered during its launch, thus allowing the attack to proceed undetected.

Attack

A Comm100 desktop agent app is downloaded from the company’s website that was signed by Comm100 and was used in the attack.

Currently, it is unknown to what extent the attack was carried out. There is, however, evidence that the trojanized files were identified in North America and Europe in the following sectors:-

  • Industrial
  • Healthcare
  • Technology
  • Manufacturing
  • Insurance
  • Telecom

Over 15,000 customers across 51 countries are said to be served by Comm100.

Backdoor

In the main.js file, a JavaScript backdoor was implanted by the threat actors. During the second stage of the backdoor, a JS script obfuscated by a hard-coded URL is retrieved.

Here’s the hardcoded URL used by the threat actors to download and execute a second-stage script:-

  • http[:]//api.amazonawsreplay[.]com/livehelp/collect

The threat actors have also deployed a malicious loader DLL called MidlrtMd.dll in order to carry out their malicious activities. With the help of this, a new Notepad process (notepad.exe) is injected with an embedded payload by the threat actors through this in-memory shellcode.

Chinese Threat Actors Presumed

Based on CrowdStrike’s assessment, China-based threat actors are responsible for the attack. Previously, this group had been seen to target East and Southeast Asian online gambling enterprises in the past.

These malware families differ from those previously identified as being operated by the group in terms of the payload delivered. It is clear from this that the offensive arsenal of the organization is expanding.

Here below we have mentioned all the factors considered by the security experts to assume that the threat actors could be Chinese:-

  • The use of chat software to deliver malware 
  • The use of the Microsoft Metadata Merge Utility binary to load a malicious DLL named MidlrtMd.dll
  • C2 domain-naming convention using Microsoft and Amazon-themed domains along with api. subdomains 
  • C2 domains hosted on Alibaba infrastructure 

Comm100 has already been informed of the problem by the security experts. Therefore, a clean installer has been released, version 10.0.9 by the developers. It is highly recommended that users update their Live Chat software as soon as possible.

Cyber Attack with Zero Trust Networking – Download Free E-Book

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

NetSupport RAT Grant Attackers Full Access to Victims Systems

The eSentire Threat Response Unit (TRU) has reported a significant rise in incidents involving...

Quishing via QR Codes Emerging as a Top Attack Vector Used by Hackers

QR codes, once a symbol of convenience and security in digital interactions, have become...

New ‘BYOTB’ Attack Exploits Trusted Binaries to Evade Detection, Researchers Reveal

A recent cybersecurity presentation at BSides London 2024 has unveiled a sophisticated attack technique...

SAML Bypass Authentication on GitHub Enterprise Servers to Login as Other User Account

A severe security vulnerability, tracked as CVE-2025-23369, has been identified in GitHub Enterprise Server...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

NanoCore RAT Attack Windows Using Task Scheduler to Captures keystrokes, screenshots

NanoCore, a notorious Remote Access Trojan (RAT), continues to pose a significant threat to...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Hackers Leveraging Image & Video Attachments to Deliver Malware

Cybercriminals are increasingly exploiting image and video files to deliver malware, leveraging advanced techniques...