Article 5H072 Backdoored password manager stole data from as many as 29K enterprises

Backdoored password manager stole data from as many as 29K enterprises

by
Dan Goodin
from Ars Technica - All content on (#5H072)
password-800x600.jpeg

Enlarge (credit: Getty Images)

As many as 29,000 users of the Passwordstate password manager downloaded a malicious update that extracted data from the app and sent it to an attacker-controlled server, the app-maker told customers.

In an email, Passwordstate creator Click Studios told customers that bad actors compromised its upgrade mechanism and used it to install a malicious file on user computers. The file, named moserware.secretsplitter.dll," contained a legitimate copy of an app called SecretSplitter, along with malicious code named "Loader," according to a brief writeup from security firm CSIS Group.

moserware-secretsplitter-loader.png

(credit: CSIS Group)

The Loader code attempts to retrieve the file archive at https://passwordstate-18ed2.kxcdn[.]com/upgrade_service_upgrade.zip so it can retrieve an encrypted second-stage payload. Once decrypted, the code is executed directly in memory. The email from Click Studios said that the code extracts information about the computer system, and select Passwordstate data, which is then posted to the bad actors' CDN Network."

Read 8 remaining paragraphs | Comments

index?i=ocrLH3jwYmo:Mmc4kgoaVPk:V_sGLiPB index?i=ocrLH3jwYmo:Mmc4kgoaVPk:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments