Click Studios, an Australia-based software development firm, has reported a new phishing campaign targeting its users following a recent supply chain attack affecting its Passwordstate password management application. This latest incident has raised alarms among customers, prompting the company to issue a warning regarding deceptive emails purportedly from Click Studios, urging immediate action from recipients. The firm confirms these messages are not authorized communications.
In an advisory released on Wednesday, Click Studios stated, “We have been informed that a malicious actor has initiated a phishing attack, with several customers receiving emails requesting urgent responses.” The company emphasized that the correspondence is not from their official channel.
Previously, Click Studios recognized sophisticated techniques employed by attackers who compromised the update mechanism of Passwordstate, leading to the deployment of malware on user machines. The company stated that only those customers performing In-Place Upgrades between specific dates—from April 20 at 8:33 PM UTC to April 22 at 0:30 AM UTC—are believed to be affected by the earlier breach.
Although Passwordstate serves approximately 29,000 users, Click Studios maintains that the number of impacted customers remains low. Moreover, the firm urges users not to disseminate any company-related communications over social media, citing concerns that the actors behind the breach are actively monitoring these platforms to gather information that could facilitate further intrusions.
In the original attack, a trojanized Passwordstate update file incorporated a modified dynamic link library (DLL), specifically “moserware.secretsplitter.dll.” This malicious file was designed to fetch a second-stage payload from a remote server with the intent of siphoning sensitive information from the compromised devices. To combat this, Click Studios released an urgent hotfix package named “Moserware.zip,” which customers must utilize to eliminate the compromised DLL, alongside a prompt to reset all stored passwords.
The new phishing attempts have heightened concerns as attackers craft seemingly legitimate emails mirroring Click Studios’ authentic communications, directly influenced by messages shared by customers on various social media platforms. The phishing campaign specifically instructs users to download a modified Moserware.zip file from a non-Click Studios CDN, which has reportedly been taken down. Initial assessments suggest this file contains a new variant of the previously compromised DLL, which, once executed, attempts to retrieve the payload file from an alternate site.
This incident underscores the ongoing threat of supply chain attacks, with the Passwordstate incident becoming another prominent case highlighting the sophisticated strategies employed by adversaries targeting third-party software to gain access to sensitive networks within government and corporate domains. Tactics such as initial access, persistence, and privilege escalation from the MITRE ATT&CK framework are potentially applicable to understand the techniques leveraged in this attack.
