Report: Commercial chat provider hijacked to spread malware in supply chain attack

Attackers hijacked the installer of a popular commercial chat provider to spread malware, according to a report published Friday by cybersecurity firm Crowdstrike. 

The attack targeted Comm100, which provides chat services on websites and social media. The strategy used by the assailants appears to echo the supply chain mechanism used in the widely disruptive SolarWinds attacks, targeting a popular software provider to get a foot in the door of victims’ systems.

The attack featured a trojan malware delivered via an installer for Comm100’s Windows Desktop agent software, available on the company website and signed using a valid Comm100 certificate dated September 26, 2022, according to Crowdstrike. It remained available until the morning of September 29. 

The malware embedded in the installer would surreptitiously connect to a remote command-and-control server, creating a backdoor into infected systems that the attackers then sought to exploit by installing further malicious software, according to Crowdstrike. 

Comm100 did not immediately respond to a request for comment from The Record, but has since released an updated installer, Crowdstrike wrote. It’s unclear how many people downloaded the malicious file, but the company claims on its website to have more than 15,000 customers across 51 countries.

Crowdstrike reported with “moderate confidence” that the attackers are Chinese, based on the “presence of Chinese-language comments in the malware,” the use of Alibaba infrastructure to host servers, technical connections to previous “targeting of online gambling entities in East and Southeast Asia,” and other factors.