Cybersecurity firm CrowdStrike said the attack made use of a signed Comm100 desktop agent app for Windows that was downloadable from the company’s website.
The scale of the attack is currently unknown, but the trojanized file is said to have been identified at organizations in the industrial, healthcare, technology, manufacturing, insurance, and telecom sectors in North America and Europe.
Comm100 is a Canadian provider of live audio/video chat and customer engagement software for enterprises. It claims to have more than 15,000 customers across 51 countries.
“The installer was signed on September 26, 2022 at 14:54:00 UTC using a valid Comm100 Network Corporation certificate,” the company noted, adding it remained available until September 29.
Also deployed as part of the post-exploitation activity is a malicious loader DLL named MidlrtMd.dll that launches an in-memory shellcode to inject an embedded payload into a new Notepad process.
Supply chain compromises, like that of SolarWinds and Kaseya, are becoming an increasingly lucrative strategy for threat actors to target a widely-used software provider to gain a foothold in the networks of downstream customers.
As of writing, none of the security vendors flag the installers as malicious. Following responsible disclosure, the issue has since been addressed with the release of an updated installer (10.0.9).
CrowdStrike has tied the attack with moderate confidence to an actor with a China nexus based on the presence of Chinese-language comments in the malware and the targeting of online gambling entities in East and Southeast Asia, an already established area of interest for China-based intrusion actors.
That said, the payload delivered in this activity differs from other malware families previously identified as operated by the group, suggesting an expansion to its offensive arsenal.
As of writing, it’s immediately not clear as to how the attackers managed to gain access to Comm100’s internal systems and poison the legitimate installer.
The name of the adversary was not disclosed by CrowdStrike, but the TTPs point in the direction of a threat actor called Earth Berberoka (aka GamblingPuppet), which earlier this year was found using a fake chat app named MiMi in its attacks against the gambling industry.