Passwordstate, a popular password manager productivity tool for people who work in productive cyberspace. This involves a user who has accounts across different platforms. Different platforms include your webmail, social media, job sites, corporate network passwords and sometimes people’s secret group on the internet such as forums that involves our hobbies. We use password managers to efficiently secure our passwords, and most of all, have the app remember our different usernames and passwords. Using other user names and complicated passwords across multiple websites is not ideal for people who don’t use any password manager software. In case they do, they write it somewhere on a notepad stored in a clear text format. From a cyber-security point of view, this is not ideal due to its vulnerability against sniffing cyberattacks.
Recently an attack against the Passwordstate Password Manager by threat actors came into fruition. This is the last thing that people want to hear about, software that promises banking-level encryption and security suddenly got hijacked. The app is an Australian made software-based in the region of Adelaide made by Click Studios. The attacker used advanced and sleek methods to compromise the software’s update function and utilized it to insert malware, eventually dropping it on the user computers. According to Click Studios, the compromise happened for almost twenty-eight hours which started last April 20 until April 22. The affected customers are those who did an upgrade over the top of the previous app version. Those who did a manual upgrade that uninstalled and reinstalled using an installer were not affected.
DLL Tampering to hack Passwordstate
Inserting malware through updates is a surprise that the company did not expect. According to a security firm based in Denmark, the malware-infected update came in the form of. ZIP file, “Passwordstate_upgrade.zip,” once unpacked, a modified DLL file called “moserware.secretsplitter.dll” is extracted. The file contacts a remote server to download a second-stage payload (“upgrade_service_upgrade.zip”) that exfiltrates Passwordstate data and exports the information back to the threat actor’s CDN network.
The compromised information included users’ username and password and other technical details, primarily including the victim’s computer name, current process id, names and IDs of all running processes.
Click Studios released a hotfix to help customers uninstall the adversary’s tampered DLL and overwrite it with the correct version to mitigate the unfortunate event.
iZOOlogic is currently investigating whether the extracted data is for sale or dumped on the Dark Web. Our Dark Web monitoring services intend to collect compromised information to secure individuals and numerous organizations to avoid further compromise from different attacks that might originate from breaches.