Click Studios, the Australian software firm which confirmed a supply chain attack affecting its Passwordstate password management application, has warned customers of an ongoing phishing attack by an unknown threat actor.
The company stated in an updated advisory that a threat actor has commenced a phishing attack with a small number of customers having received emails requesting urgent action. These emails are not sent by Click Studios.
Last week, Click Studios said attackers had employed sophisticated techniques to compromise Passwordstate’s update mechanism, using it to drop malware on user computers. Only customers who performed In-Place Upgrades between April 20, 8:33 PM UTC, and April 22, 0:30 AM UTC were affected.
The Adelaide-based firm serves about 29,000 customers, but only a few customers were affected. They are urging users to refrain from posting correspondence from the company on social media, stating the actor behind the breach is actively monitoring such platforms for information pertaining to the attack in order to exploit it.
The original attack was performed through a trojanized Passwordstate update file containing a modified DLL (“moserware.secretsplitter.dll”) which when extracted retrieved a second-stage payload from a remote server so as to extract sensitive information from compromised systems.
As a countermeasure, Click Studios released a hotfix package named “Moserware.zip” to help customers remove the tampered DLL and recommended all affected users to reset their passwords stored in the password manager.
The latest phishing attack involves crafting seemingly legitimate email messages that “replicate Click Studios email content” in order to push a new variant of the malware.
The company said that the phishing attack is asking customers to download a modified hotfix Moserware.zip file, from a CDN Network not controlled by Click Studios which has now been taken down.
The initial analysis indicates this has a newly modified version of the malformed Moserware.SecretSplitter.dll, that on loading then attempts to use an alternate site to obtain the payload file.