As far back as September 2022, Trend Micro reported that threat actors began exploiting chat apps Comm100 and LiveHelp100 to launch supply chain attacks. In a bid to help potential targets curb the problem, they publicized nine indicators of compromise (IoCs), specifically command-and-control (C&C) server addresses, namely:

• analyaze[.]s3amazonbucket[.]com
• services[.]livehelp100services[.]com
• service[.]livehelpl00service[.]com
• app[.]livehelpl00services[.]com
• analysis[.]windowstearns[.]com
• max[.]cornm100[.]io
• s[.]livelyhellp[.]chat
• files[.]amazonawsgarages[.]com
• 8[.]219[.]76[.]37

WhoisXML API researchers, for their part, hoped to expand the current list of IoCs, aided by exhaustive IP, DNS, and WHOIS intelligence, to help potential targets avoid breaches. Our IoC expansion analysis led to the discovery of the following:

• Nine other IP addresses the C&C server addresses resolved to
• 306 domains that shared the C&C server addresses’ IP hosts
• Four additional domains and 32,822 subdomains that contained strings found among the C&C server addresses, 81 of which were malicious
• 660 domains that contained the names of 10 of the most-used chat apps in 2022, only 2% of which could be publicly attributed to the companies whose product names appeared as strings in them and eight were found malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

IoC List Expansion Analysis Findings

We began our in-depth analysis by subjecting the C&C server domains to DNS lookups that allowed us to uncover nine IP addresses that haven’t been published yet. We named four of them below.

• 47[.]243[.]117[.]16
• 8[.]219[.]76[.]37
• 47[.]243[.]85[.]219
• 47[.]242[.]253[.]75

The IP hosts we found were shared by 306 other domains based on reverse IP lookups. While none of the 315 web properties were found malicious, our malware checks for the IP addresses showed all of them had Secure Sockets Layer (SSL) configuration issues.

The IoCs contained specific strings that could appear in other domains and subdomains, which could serve as potential vehicles for the same or other similar threats. We used the unique strings shown in the table below as Domains & Subdomains Discovery search terms. We limited the results to those that resembled the IoCs most by using the “Starts with” parameter.

Our search uncovered four additional domains and 32,822 subdomains. A bulk malware check showed that 81 of them were categorized as malicious by various malware engines.

A closer look at the malicious subdomains allowed us to identify popular brands that appeared alongside the strings found among the IoCs, such as Amazon, Google, PayPal, and Apple. Here’s a word cloud reflecting our findings.

A majority of the malicious web properties contained runescape, followed by paypal and apple.

Are Other Chat Apps and Their Users at Risk?

To determine if other chat apps and their users could be potential targets of similar threats, we obtained a list of the top 10 chat apps in 2022. We limited our investigation to domains using Domains & Subdomains Discovery and used the strings in the table below.

Note that our search didn’t turn up any domain containing chanty + chat but it still led to the discovery of 660 domains. Here’s a breakdown of the total domain volume by chat app.

The results aren’t surprising, given that Microsoft Teams has the biggest user base—270 million worldwide. Take a look at the available user base data for three of the top apps compared with their domain distribution volumes.

A bulk WHOIS lookup for the additional domains allowed us to identify which ones belonged to the legitimate companies whose brands appeared in them. Our results, though, were limited to the entities with publicly available WHOIS registrant details—Slack, Microsoft Teams, Google Chat, and RingCentral Video. Here’s a chart showing the comparison results.

Overall, only 2% (12 out of 549 to be exact) of the chat app domains found belonged to the legitimate companies. Eight of them were also categorized as malicious, four of which are:

• microsoftteams[.]fun
• microsoftteams[.]top
• discord-chatbot[.]tk
• discordchatterscommunity[.]com

---

Companies, particularly those that require chat apps that can accommodate huge group meeting attendees, should be wary of the malicious domains we’ve identified in this study. Threat actors could employ these weaponized web properties to launch the same kind of supply chain attacks against target organizations.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.