NordVPN Promotion

Home / Industry

Exposing Chat Apps Exploited for Supply Chain Attacks

Protect your privacy:  Get NordVPN  [ Deal: 73% off 2-year plans + 3 extra months ]
10 facts about NordVPN that aren't commonly known
  • Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
  • RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
  • Servers in a Former Military Bunker: Some of NordVPN's servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
  • NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
  • Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.

As far back as September 2022, Trend Micro reported that threat actors began exploiting chat apps Comm100 and LiveHelp100 to launch supply chain attacks. In a bid to help potential targets curb the problem, they publicized nine indicators of compromise (IoCs), specifically command-and-control (C&C) server addresses, namely:

  • analyaze[.]s3amazonbucket[.]com
  • services[.]livehelp100services[.]com
  • service[.]livehelpl00service[.]com
  • app[.]livehelpl00services[.]com
  • analysis[.]windowstearns[.]com
  • max[.]cornm100[.]io
  • s[.]livelyhellp[.]chat
  • files[.]amazonawsgarages[.]com
  • 8[.]219[.]76[.]37

WhoisXML API researchers, for their part, hoped to expand the current list of IoCs, aided by exhaustive IP, DNS, and WHOIS intelligence, to help potential targets avoid breaches. Our IoC expansion analysis led to the discovery of the following:

  • Nine other IP addresses the C&C server addresses resolved to
  • 306 domains that shared the C&C server addresses’ IP hosts
  • Four additional domains and 32,822 subdomains that contained strings found among the C&C server addresses, 81 of which were malicious
  • 660 domains that contained the names of 10 of the most-used chat apps in 2022, only 2% of which could be publicly attributed to the companies whose product names appeared as strings in them and eight were found malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

IoC List Expansion Analysis Findings

We began our in-depth analysis by subjecting the C&C server domains to DNS lookups that allowed us to uncover nine IP addresses that haven’t been published yet. We named four of them below.

  • 47[.]243[.]117[.]16
  • 8[.]219[.]76[.]37
  • 47[.]243[.]85[.]219
  • 47[.]242[.]253[.]75

The IP hosts we found were shared by 306 other domains based on reverse IP lookups. While none of the 315 web properties were found malicious, our malware checks for the IP addresses showed all of them had Secure Sockets Layer (SSL) configuration issues.

The IoCs contained specific strings that could appear in other domains and subdomains, which could serve as potential vehicles for the same or other similar threats. We used the unique strings shown in the table below as Domains & Subdomains Discovery search terms. We limited the results to those that resembled the IoCs most by using the “Starts with” parameter.

DOMAIN SEARCH STRINGSSUBDOMAIN SEARCH STRINGS
livehelp100servicesservices.
livehelpl00serviceservice.
livelyhellpmax.
cornm100files.
amazonawsgaragesanalysis.
windowstearnsanalyze.
s3amazonbucket

Our search uncovered four additional domains and 32,822 subdomains. A bulk malware check showed that 81 of them were categorized as malicious by various malware engines.

A closer look at the malicious subdomains allowed us to identify popular brands that appeared alongside the strings found among the IoCs, such as Amazon, Google, PayPal, and Apple. Here’s a word cloud reflecting our findings.

A majority of the malicious web properties contained runescape, followed by paypal and apple.

Are Other Chat Apps and Their Users at Risk?

To determine if other chat apps and their users could be potential targets of similar threats, we obtained a list of the top 10 chat apps in 2022. We limited our investigation to domains using Domains & Subdomains Discovery and used the strings in the table below.

CHAT APPSTRING USED
Slackslack + chat
Microsoft Teamsmicrosoft + teams
Twisttwist + chat
Ryverryver + chat
Discorddiscord + chat
Google Chatgoogle + chat
Chantychanty + chat
Rocket.Chatrocket.chat
RingCentral Videoringcentral + video
Flockflock + chat

Note that our search didn’t turn up any domain containing chanty + chat but it still led to the discovery of 660 domains. Here’s a breakdown of the total domain volume by chat app.

The results aren’t surprising, given that Microsoft Teams has the biggest user base—270 million worldwide. Take a look at the available user base data for three of the top apps compared with their domain distribution volumes.

A bulk WHOIS lookup for the additional domains allowed us to identify which ones belonged to the legitimate companies whose brands appeared in them. Our results, though, were limited to the entities with publicly available WHOIS registrant details—Slack, Microsoft Teams, Google Chat, and RingCentral Video. Here’s a chart showing the comparison results.

Overall, only 2% (12 out of 549 to be exact) of the chat app domains found belonged to the legitimate companies. Eight of them were also categorized as malicious, four of which are:

  • microsoftteams[.]fun
  • microsoftteams[.]top
  • discord-chatbot[.]tk
  • discordchatterscommunity[.]com

Companies, particularly those that require chat apps that can accommodate huge group meeting attendees, should be wary of the malicious domains we’ve identified in this study. Threat actors could employ these weaponized web properties to launch the same kind of supply chain attacks against target organizations.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

DNS

Sponsored byDNIB.com

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

NordVPN Promotion