- Upgrade to Microsoft Office Pro and Windows 11 Pro with this bundle for 87% off
- Get 3 months of Xbox Game Pass Ultimate for 28% off
- Buy a Microsoft Project Pro or Microsoft Visio Pro license for just $18 with this deal
- How I optimized the cheapest 98-inch TV available to look and sound incredible (and it's $1,000 off)
- The best blood pressure watches of 2024
Probing Weaponized Chat Applications Abused in Supply-Chain Attacks
In late September 2022, threat researchers uncovered a supply-chain attack carried out by malicious actors using a trojanized installer of Comm100, a chat-based customer engagement application. Our investigation of the incident revealed that the breadth and depth of the campaign’s impact were greater than what the researchers had initially thought; we also found that more applications and their respective versions had been affected and established that attacks began much earlier than their first reckoning on Sept. 29, 2022.
Data from our telemetry suggested that some versions of a similar customer engagement software, LiveHelp100 has also been weaponized. LiveHelp100 shares the same office address as Comm100, and both share one director. Findings from our investigation that began on Oct. 14, 2022 indicated that the client application had been loading backdoor scripts from the malicious actor’s infrastructure since Aug. 8, 2022. It is also worth noting that we were able to identify a JavaScript backdoor injected in the web application of LiveHelp100 as early as February 2022. We have sent messages to LiveHelp100 but have received no reply.
We could not determine, however, if the trojanized versions of LiveHelp100 were delivered using a similar supply-chain attack on its official website as Comm100 because the installers were not available when we were conducting our research. Our telemetry detected requests made by some of LiveHelp100’s clients to load JavaScript backdoors, likely the same ones that we had previously observed in the supply-chain attack on the Comm100 application. This prompted us to examine the infection chain more closely, enabling us to identify additional pieces of malware that the malicious actors employed in their campaign.
Interestingly, we also discovered that some of the victims that had been targeted with the more advanced stages of the malware deployment were personnel of online gambling platforms that have access to the administration panel of their respective websites, suggesting that this might also be one of the campaign’s objectives.
Analysis of JavaScript backdoor
The Windows and macOS versions of the LiveHelp100 client application are developed with the Electron.js runtime framework. Data from our telemetry revealed two versions of this application, 11.0.2 and 11.0.3, that have been attempting to communicate with the following URL since August 8, 2022:
- hxxp[:]//service[.]livehelpl00service[.]com/livehelp/collect
The payload returned from the URL is an obfuscated JavaScript code with backdoor functions for execution by the trojanized Electron.js applications. The URL format and backdoor functions are the same as those mentioned in the threat researchers’ report on the Comm 100 attack that we cited earlier. The backdoor sends the following victim information using HTTP POST request to initiate the communication with the command-and-control (C&C) server 8[.]219[.]76[.]37:
- Computer name
- Username
- The process list retrieved from tasklist command
- The product ID value stored in the registry
- The email information stored in a data file of the LiveHelp100 application