[ad_1]
In late September 2022, menace researchers uncovered a supply-chain assault carried out by malicious actors utilizing a trojanized installer of Comm100, a chat-based buyer engagement utility. Our investigation of the incident revealed that the breadth and depth of the marketing campaign’s impression have been better than what the researchers had initially thought; we additionally discovered that extra purposes and their respective variations had been affected and established that assaults started a lot sooner than their first counting on Sept. 29, 2022.
Knowledge from our telemetry steered that some variations of the same buyer engagement software program, LiveHelp100 has additionally been weaponized. LiveHelp100 shares the identical workplace tackle as Comm100, and each share one director. Findings from our investigation that started on Oct. 14, 2022 indicated that the consumer utility had been loading backdoor scripts from the malicious actor’s infrastructure since Aug. 8, 2022. It’s also price noting that we have been capable of determine a JavaScript backdoor injected within the net utility of LiveHelp100 as early as February 2022. We have now despatched messages to LiveHelp100 however have obtained no reply.
We couldn’t decide, nevertheless, if the trojanized variations of LiveHelp100 have been delivered utilizing the same supply-chain assault on its official web site as Comm100 as a result of the installers weren’t obtainable once we have been conducting our analysis. Our telemetry detected requests made by a few of LiveHelp100’s shoppers to load JavaScript backdoors, possible the identical ones that we had beforehand noticed within the supply-chain assault on the Comm100 utility. This prompted us to look at the an infection chain extra intently, enabling us to determine extra items of malware that the malicious actors employed of their marketing campaign.
Curiously, we additionally found that a few of the victims that had been focused with the extra superior phases of the malware deployment have been personnel of on-line playing platforms which have entry to the administration panel of their respective web sites, suggesting that this may additionally be one of many marketing campaign’s aims.
Evaluation of JavaScript backdoor
The Home windows and macOS variations of the LiveHelp100 consumer utility are developed with the Electron.js runtime framework. Knowledge from our telemetry revealed two variations of this utility, 11.0.2 and 11.0.3, which were trying to speak with the next URL since August 8, 2022:
hxxp[:]//service[.]livehelpl00service[.]com/livehelp/accumulate
The payload returned from the URL is an obfuscated JavaScript code with backdoor features for execution by the trojanized Electron.js purposes. The URL format and backdoor features are the identical as these talked about within the menace researchers’ report on the Comm 100 assault that we cited earlier. The backdoor sends the next sufferer data utilizing HTTP POST request to provoke the communication with the command-and-control (C&C) server 8[.]219[.]76[.]37:
Laptop title
Username
The method checklist retrieved from tasklist command
The product ID worth saved within the registry
The e-mail data saved in an information file of the LiveHelp100 utility
[ad_2]