Malware Installed in Update Mechanism Enabled Data Exfiltration
Attackers implanted malware into Click Studios‘ Passwordstate password manager update process, potentially exposing 29,000 users to exfiltration of passwords and other data, the company reports.
In an incident management advisory issued Saturday, Australia-based Click Studios says any customer who performed an “in-place upgrade” for its password manager software between 8:33 p.m. UTC April 20 and 12:30 a.m. UTC April 22 may have downloaded the malware. The company, however, says those who upgraded outside this time frame should be safe from malware infection.
“Affected customers’ password records may have been harvested,” the company says.
The infiltration of malware into software updates is an ongoing threat. For example, the SolarWinds supply chain attack involved attackers inserting a Trojan into an update of the Orion network monitoring tool.
Click Studios did not respond to a request for additional information, but it says it will provide updates.
The malware installed in Click Studios’ update director, if downloaded, could pull an account’s username and password along with the computer name, the user’s name, domain name, current process name, current process ID, all running processes’ names and IDs, all running services’ names, display name and status and Passwordstate instance’s proxy server address, the company says.
In addition, the title, username, description, genericfield1, genericfield2, genericfield3, notes, URL and password located in Passwordstate’s “instance’s password table” may have been compromised by the malware unless the customer selected to encrypt the genericfields, the company says.
Click Studios says the attack vector is not known, although it says the attackers apparently did not take advantage of weak or stolen credentials.
“At this stage, the number of affected customers appears to be very low. However, this may change as more customers supply the requested information,” the company says.
Click Studios has about 29,000 customers and is used by about 370,000 security and IT professionals worldwide.
The company did not say when attackers installed the malware in the Passwordstate upgrade director. But it says it took its first action in response to the attack on April 21 when it implemented its incident management plan and began an investigation. Once the company confirmed the malware infection, it informed its customers by email the following day, Click Studios says.
The Malicious ZIP File
When accessed by a user, the upgrade director points the “in-place upgrade” to the appropriate software version located on Click Studios’ content distribution network. Anyone who accessed the upgrade system during the 28 hours between when the malware was put in place and when it was removed may have downloaded the malicious Passwordstate_upgrade.zip, the company says.
This .zip file was a modified moserware.secretsplitter.dll, with a size of 65KB. It subsequently downloaded an additional file named upgrade_service_upgrade.zip file from the attackers’ CDN network, started a new background thread, converted the upgrade_service_upgrade.zip to a .NET assembly only stored in memory and began processing, Click Studios says.
“The process extracted information about the computer system and selected Passwordstate data, which was then posted to the bad actors’ CDN network,” the company says.
Click Studios advises its customers to scan their systems for clues to see if they downloaded the malicious .zip file. If the customer finds a 65KB moserware.secretsplitter.dll in their c:inetpubpasswordstatebin directory, then the system is likely infected, Click Studios reports.
If this file is found, Click Studios advises the customer to take the following steps:
- Download the advised hotfix file;
- Use PowerShell to confirm the checksum of the hotfix file matches the details supplied;
- Stop the Passwordstate service and internet information server;
- Extract the hotfix to the specified folder;
- Restart the Passwordstate service and internet information server.
Once these steps are complete, Passwordstate users must reset all passwords contained within the tool as these may have been posted to the attackers’ CDN network, the company says.