Click Studios, the software company behind the Passwordstate enterprise password manager, is warning customers of ongoing phishing attacks targeting them with updated Moserpass malware.
Last week, the company notified its users that attackers successfully compromised the password manager's update mechanism to deliver info-stealing malware known as Moserpass to a yet undisclosed number of customers between April 20 and April 22.
Click Studios published a second advisory on Sunday, saying that "only customers that performed In-Place Upgrades between the times stated above are believed to be affected and may have had their Passwordstate password records harvested."
Phishing messages copy Click Studios emails shared on social media
Since then, Click Studios has been assisting potentially impacted customers over email, providing them with a hotfix designed to help them remove the malware from their systems.
However, as revealed today in a new advisory, emails received from Click Studios were shared by customers on social media allowing unknown threat actors to create phishing emails matching the company's correspondence and pushing a new Moserpass variant.
"It is expected the bad actor is actively monitoring social media for information on the compromise and exploit," Click Studios said today.
"It is important customers do not post information on Social Media that can be used by the bad actor. This has happened with phishing emails being sent that replicate Click Studios email content."
The ongoing phishing attack attempting to infect more Passwordstate customers with the Moserpass data theft malware has reportedly only targeted a small number of customers.
The company now asks those receiving suspicious emails "to stay vigilant and ensure the validity of any email" they receive.
" If you are unsure if an email is from us, send it to Technical Support as an attachment, for confirmation," Click Studios added.
The phishing attack is requesting customers to download a modified hotfix Moserware.zip file,from a CDN Network not controlled by Click Studios, that now appears to have been taken down.Initial analysis indicates this has a newly modified version of the malformed Moserware.SecretSplitter.dll, that on loading then attempts to use an alternate site to obtain the payload file. We are still analysing this payload file. — Click Studios
Customers urged to reset all stored passwords
The Moserpass malware is designed to collect and exfiltrate both system information and password data extracted from Passwordstate's database, including:
- Computer Name, User Name, Domain Name, Current Process Name, Current Process Id, All running Processes name and ID, All running services name, display name and status, Passwordstate instance’s Proxy Server Address, Username and Password
- Title, UserName, Description, GenericField1, GenericField2, GenericField3, Notes, URL, Password
Click Studios advised Passwordstate customers who have upgraded their clients during the breach to reset all passwords stored in their database.
Passwordstate is an on-premises password manager used by more than 370,000 IT professionals working at 29,000 companies worldwide, as its developer claims.
Click Studios' software is used by companies from an extensive array of industry verticals (many of them in the Fortune 500 rankings), including government, defense, aerospace, finance, healthcare, automotive, legal, and media.
Comments
JohnRm - 3 years ago
Almost all password managers available out there are not really password managers, they are Note managers!
People should really start using a real password manager like "Multi One Password" that does not store passwords neither locally in the users computers nor in the cloud!
Wolverine 7 - 3 years ago
I wonder where they store it then,..maybe they keep it on top of a mountain in Tibet?..
CJatWork - 3 years ago
Or perhaps UNDER a mountain, guarded by Smaug. ;-)