Report: Commercial chat provider hijacked to spread malware in supply chain attack

Attackers hijacked the installer of a popular commercial chat provider to spread malware, according to a report published Friday by cybersecurity firm Crowdstrike

The attack targeted Comm100, which provides chat services on websites and social media. The strategy used by the assailants appears to echo the supply chain mechanism used in the widely disruptive SolarWinds attacks, targeting a popular software provider to get a foot in the door of victims’ systems.

The attack featured a trojan malware delivered via an installer for Comm100’s Windows Desktop agent software, available on the company website and signed using a valid Comm100 certificate dated September 26, 2022, according to Crowdstrike. It remained available until the morning of September 29. 

The malware embedded in the installer would surreptitiously connect to a remote command-and-control server, creating a backdoor into infected systems that the attackers then sought to exploit by installing further malicious software, according to Crowdstrike. 

Comm100 did not immediately respond to a request for comment from The Record, but has since released an updated installer, Crowdstrike wrote. It’s unclear how many people downloaded the malicious file, but the company claims on its website to have more than 15,000 customers across 51 countries.

Crowdstrike reported with “moderate confidence” that the attackers are Chinese, based on the “presence of Chinese-language comments in the malware,” the use of Alibaba infrastructure to host servers, technical connections to previous “targeting of online gambling entities in East and Southeast Asia,” and other factors.

Andrea Peterson

Andrea (they/them) is senior policy correspondent at The Record and a longtime cybersecurity journalist who cut their teeth covering technology policy ThinkProgress (RIP), then The Washington Post from 2013 through 2016, before doing deep dive public records investigations at the Project on Government Oversight and American Oversight. Their work has also been published at Slate, Politico, The Daily Beast, Ars Technica, Protocol, and other outlets. Peterson also produces independent creative projects under their Plain Great Productions brand and can generally be found online as kansasalps.

Recent Posts

Metropolitan Opera dealing with cyberattack that shut down website, box office

The Metropolitan Opera confirmed that it is dealing with a crippling cyberattack that has shut…

18 hours ago

South Korean authorities issue warning about disguised North Koreans getting IT jobs

South Korean authorities issued an interagency advisory Thursday warning companies about hiring North Korean IT…

20 hours ago

On hacking forums, even the scammers aren’t safe

Cybercriminals use a range of techniques to steal victims’ money — from developing malicious software…

23 hours ago

Apple unveils new cybersecurity measure for iMessage, iCloud and more

Apple announced several new security features designed to better protect users from an array of…

2 days ago

Iranian hackers accused of targeting diamond industry with wiper malware

Hackers allegedly connected to the Iranian government have been accused of targeting diamond companies in…

2 days ago

Google: North Korean gov’t hackers used Internet Explorer zero-day to target South Korea users

Internet Explorer users in South Korea were targeted by a group of North Korean government…

2 days ago