Report: Commercial chat provider hijacked to spread malware in supply chain attack
Image: Sigmund
Andrea Peterson September 30, 2022

Report: Commercial chat provider hijacked to spread malware in supply chain attack

Report: Commercial chat provider hijacked to spread malware in supply chain attack

Attackers hijacked the installer of a popular commercial chat provider to spread malware, according to a report published Friday by cybersecurity firm Crowdstrike

The attack targeted Comm100, which provides chat services on websites and social media. The strategy used by the assailants appears to echo the supply chain mechanism used in the widely disruptive SolarWinds attacks, targeting a popular software provider to get a foot in the door of victims’ systems.

The attack featured a trojan malware delivered via an installer for Comm100’s Windows Desktop agent software, available on the company website and signed using a valid Comm100 certificate dated September 26, 2022, according to Crowdstrike. It remained available until the morning of September 29. 

The malware embedded in the installer would surreptitiously connect to a remote command-and-control server, creating a backdoor into infected systems that the attackers then sought to exploit by installing further malicious software, according to Crowdstrike. 

Comm100 did not immediately respond to a request for comment from The Record, but has since released an updated installer, Crowdstrike wrote. It’s unclear how many people downloaded the malicious file, but the company claims on its website to have more than 15,000 customers across 51 countries.

Crowdstrike reported with “moderate confidence” that the attackers are Chinese, based on the “presence of Chinese-language comments in the malware,” the use of Alibaba infrastructure to host servers, technical connections to previous “targeting of online gambling entities in East and Southeast Asia,” and other factors.

Andrea (they/them) is senior policy correspondent at The Record and a longtime cybersecurity journalist who cut their teeth covering technology policy ThinkProgress (RIP), then The Washington Post from 2013 through 2016, before doing deep dive public records investigations at the Project on Government Oversight and American Oversight. Their work has also been published at Slate, Politico, The Daily Beast, Ars Technica, Protocol, and other outlets. Peterson also produces independent creative projects under their Plain Great Productions brand and can generally be found online as kansasalps.