"Passwordstate" Password Manager Compromised: Delivered Malware Disguised As An Update To Customers

Earlier this week the Australian software company Click Studios, that developed Passwordstate enterprise password manager got affected by a supply chain attack. Passwordstate is an on-premises password management solution used by over 370,000 security and IT professionals at 29,000 companies worldwide. The attackers compromised the app's update mechanism to deliver malware in a supply-chain attack after breaching its networks. Once deployed on a customer's system, the malware would collect system information and Passwordstate data, which later gets sent to the attacker’s C&C servers. The attack was observed between 20th of April 2021 8:33 pm UTC and 22nd of April 2021 00.30 am UTC. 

The First-stage payloads were uploaded to VirusTotal here and here which show that at the time this post was shared, none of the 68 tracked endpoint protection programs detected the malwares. This clearly backs up the recent known failure of traditional signature based endpoint security model.

HOW THE MALWARE WORKS?

The update mechanism of the software was used to drop a malicious update via a zip file "Passwordstate_upgrade.zip" containing a rogue dll "moserware.secretsplitter.dll" with a size of 65kb. This subsequently downloads an additional file upgrade_service_upgrade.zip file from a bad actors CDN network, starts a new background thread, converts the upgrade_service_upgrade.zip to a .NET assembly stored in memory, and begins processing. The process extracts information about the computer system and selectsPasswordstate data, posted to the bad actors CDN network.

The data that was sent back to attackers CDN network included Computer Name, User Name, Domain Name, CurrentProcess Name, Current Process Id, All Running Processes name and ID, All running services name, display name and status, Passwordstate instance's Proxy Server Address, Username and Password. This malware affects passwords for email and website accounts and passwords for internal infrastructure such as firewalls, VPNs, switches, storage systems, routers, network gateways, Local Accounts, and others. Customers have been advised to check the file size of moserware.secret splitter.dll located in their c:\inetpub\passwordstate\bin\directory. If the file size is 65kb, then they are likely to have been affected. The Loader code tries to retrieve the file archive at https://passwordstate-18ed2.kxcdn[.]com/upgrade_service_upgrade.zip so it can pull an encrypted second-stage payload. Once decrypted, the code is executed directly in memory.

Clearly, the criticality of the supply chain attacks have heightened in the past few months. Click Studios advises its customers to:

• Download the hotfix
• Follow the instructions sent via email
• RESET ALL THE PASSWORDS associated with the software along with email and website accounts ; passwords for internal infrastructure such as firewalls, VPNs, switches, storage systems, routers, network gateways, Local Accounts, and others.
• Kindly refer to the IoCs mentioned here.

If you think your organization’s security has been compromised, please reach out to us at [email protected] for a complete cyber risk assessment.