The official installer for the Comm100 Live Chat application, a widely deployed SaaS (software-as-a-service) that businesses use for customer communication and website visitors, was trojanized as part of a new supply-chain attack.
A report from CrowdStrike says that the infected variant was available from the vendor's website from at least September 26 until as the morning of September 29.
Because the trojanized installer used a valid digital signature, antivirus solutions would not trigger warnings during its launch, allowing for a stealthy supply-chain attack.
Backdoor details
CrowdStrike says that the attackers implanted a JavaScript backdoor into the "main.js" file that is present in the following versions of the Comm100 Live Chat installer:
- 10.0.72 with SHA256 Hash 6f0fae95f5637710d1464b42ba49f9533443181262f78805d3ff13bea3b8fd45
- 10.0.8 with SHA256 Hash ac5c0823d623a7999f0db345611084e0a494770c3d6dd5feeba4199deee82b86
The backdoor fetches a second-stage obfuscated JS script from a hard-coded URL ("http[:]//api.amazonawsreplay[.]com/livehelp/collect"), which gives the attackers remote shell access to the victimized endpoints via the command line.
For more details regarding the signs of infection and the indicators of compromise, check the bottom section of
CrowdStrike's report.
