Phishing Campaign Impersonates Click Studios to Deliver New Moserpass Malware Variant

Last week, Click Studios alerted users of the Passwordstate enterprise password manager about a supply chain attack in which hackers successfully compromised the In-Place Upgrade mechanism of the app, which allowed the attackers to perform malicious upgrades between April 20 and April 22, 2021.

During that 28-hour window it is possible that the attackers downloaded a malformed Passwordstate_upgrade.zip file, which was sourced from a server not under the control of Click Studios. Only customers who performed the In-Place Upgrade between April 20 and April 22 were affected. The servers used by the attackers were taken down at 7:00 UTC on April 22.

The malicious file – dubbed Moserpass – allowed the attackers to exfiltrate information about the computer system and selected Passwordstate data, after which the malware went dormant for a day before harvesting and exfiltrating data again. Basic loader code was also included which allowed additional payloads to be downloaded from the attacker’s command and control server. Passwordstate data potentially exfiltrated included the following data fields: Title, UserName, Description, GenericField1, GenericField2, GenericField3, Notes, URL, and Password.

Passwordstate is an on-premises enterprise password manager used by more than 29,000 companies worldwide, including many Fortune 500 firms. Since passwords may have been compromised, affected customers have been advised to reset all passwords in their password database and to prioritize passwords for internet-exposed systems, followed by internal infrastructure, then all other credentials.

Click Studios has now issued another advisory about an ongoing phishing campaign that uses phishing templates created from copies of official Click Studios email communications about the supply chain attack which had been shared on social media networks by Click Studio customers. The phishing emails try to get the recipient to install a fake hotfix to remove Moserpass malware, but the hotfix will actually install an updated version of Moserpass malware from a CDN network not under the control of Click Studios.

All customers have been advised to exercise caution and if there is any doubt as to the authenticity of any email communication about passwordstate to forward the email to Technical Support for verification.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news