23/04/2021 20:18:42

Supply chain attack on the password manager Clickstudios - PASSWORDSTATE

The company ClickStudios recently notified their customers about a breach resulting in a supply chain attack conducted via an update of the password manager PASSWORDSTATE.

ClickStudios mentioned a breach between the 20th of April 2021 8:33 PM UTC and 22nd of April 2021 00.30am UTC. The update mechanism was used to drop a malicious update via a zip file “Passwordstate_upgrade.zip” containing a rogue dll “moserware.secretsplitter.dll”. The company mentions that the C&C of the rogue dll was using a CDN (Content Delivery Network) that was terminated on the 22nd of April 2021 7:00am UTC.

CSIS Security Group researchers discovered one of the rogue dll's during an investigation. We will try to share the IoC's that we have discovered in order for companies to determine if they have been impacted by this attack. We have dubbed this incident/malware "Moserpass".

The rogue dll that we discovered was the dll named "Moserware.SecretSplitter.dll" that was injected/modified with a malicious code snippet. A small code “Loader” was added to the original dll:

The malicious code tries to contact the following URL:
- in order to retrieve an encrypted code using method "Container.Get()", AES (Advanced Encryption Standard) decrypt it using the password: f4f15dddc3ba10dd443493a2a8a526b0, and then pass it to the Loader Class(). Once decrypted, the code is executed directly in memory.

At the time of writing, the C&C is down, and unfortunately we didn’t manage to retrieve the 2nd stage payload.

ClickStudios mentioned more than 29000 prestigious customers worldwide. We assume this attack could potentially have impacted a large number of these customers.

As recommended by ClickStudios, if you are using Passwordstate, please reset all the stored passwords, and especially VPNs, Firewall, Switches, local accounts or any server passwords etc.

We have located two differerent samples, but we expect that more variants with different C&Cs, are being used.

Malicious dll:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36


In fact the complete URL would be something like:
https://passwordstate-18ed2.kxcdn[.]com/upgrade_service_upgrade.zip?id=132636829278221866 where the value "132636829278221866" is the actual UTC time. The value here is equal to: GMT: Friday, April 23, 2021 8:22:07 PM.

Additional C&Cs:

Update from Clickstudios (links to PDF):