|
As far back as September 2022, Trend Micro reported that threat actors began exploiting chat apps Comm100 and LiveHelp100 to launch supply chain attacks. In a bid to help potential targets curb the problem, they publicized nine indicators of compromise (IoCs), specifically command-and-control (C&C) server addresses, namely:
WhoisXML API researchers, for their part, hoped to expand the current list of IoCs, aided by exhaustive IP, DNS, and WHOIS intelligence, to help potential targets avoid breaches. Our IoC expansion analysis led to the discovery of the following:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
We began our in-depth analysis by subjecting the C&C server domains to DNS lookups that allowed us to uncover nine IP addresses that haven’t been published yet. We named four of them below.
The IP hosts we found were shared by 306 other domains based on reverse IP lookups. While none of the 315 web properties were found malicious, our malware checks for the IP addresses showed all of them had Secure Sockets Layer (SSL) configuration issues.
The IoCs contained specific strings that could appear in other domains and subdomains, which could serve as potential vehicles for the same or other similar threats. We used the unique strings shown in the table below as Domains & Subdomains Discovery search terms. We limited the results to those that resembled the IoCs most by using the “Starts with” parameter.
DOMAIN SEARCH STRINGS | SUBDOMAIN SEARCH STRINGS |
---|---|
livehelp100services | services. |
livehelpl00service | service. |
livelyhellp | max. |
cornm100 | files. |
amazonawsgarages | analysis. |
windowstearns | analyze. |
s3amazonbucket |
Our search uncovered four additional domains and 32,822 subdomains. A bulk malware check showed that 81 of them were categorized as malicious by various malware engines.
A closer look at the malicious subdomains allowed us to identify popular brands that appeared alongside the strings found among the IoCs, such as Amazon, Google, PayPal, and Apple. Here’s a word cloud reflecting our findings.
A majority of the malicious web properties contained runescape, followed by paypal and apple.
To determine if other chat apps and their users could be potential targets of similar threats, we obtained a list of the top 10 chat apps in 2022. We limited our investigation to domains using Domains & Subdomains Discovery and used the strings in the table below.
CHAT APP | STRING USED |
---|---|
Slack | slack + chat |
Microsoft Teams | microsoft + teams |
Twist | twist + chat |
Ryver | ryver + chat |
Discord | discord + chat |
Google Chat | google + chat |
Chanty | chanty + chat |
Rocket.Chat | rocket.chat |
RingCentral Video | ringcentral + video |
Flock | flock + chat |
Note that our search didn’t turn up any domain containing chanty + chat but it still led to the discovery of 660 domains. Here’s a breakdown of the total domain volume by chat app.
The results aren’t surprising, given that Microsoft Teams has the biggest user base—270 million worldwide. Take a look at the available user base data for three of the top apps compared with their domain distribution volumes.
A bulk WHOIS lookup for the additional domains allowed us to identify which ones belonged to the legitimate companies whose brands appeared in them. Our results, though, were limited to the entities with publicly available WHOIS registrant details—Slack, Microsoft Teams, Google Chat, and RingCentral Video. Here’s a chart showing the comparison results.
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byVerisign
Sponsored byRadix