Moserpass Malware

Moserpass Malware Description

Moserpass is a threatening new malware strain that has been detected by infosec researchers. The threat was observed as part of a new supply-chain attack. The threat actor responsible for the operation targeted the clients of the Passwordstate password manager. Click Studios, the developer of Passwordstate, stated that they have over 29, 000 clients spread across multiple industry sectors, such as banking, education, manufacturing, retails, aerospace, healthcare, government and more. 

Moserpass Malware Capabilities

The harmful payload spread through the attack was the previously unknown Moserpass Malware. The main functionality of the threat is to collect information from compromised systems. The harvested system data includes computer name, username, current process ID and name, domain name, etc. In addition, the Moserpass Malware obtains data from several fields in the victim's Passwordstate account - username, password, title, notes, description, URL and data from specific 'generic fields.' All collected information is then exfiltrated to remote servers under the control of the threat actor. According to Click Studios, users who have enabled the option to encrypt that data, are safe from the activities of the Moserpass malware.

Passwordstate Supply-Chain Attack Characteristics

If successful, supply chain attacks allow threat actors to reach and infect a significant amount of systems without having to breach each one individually. Instead, the hackers compromise the networks of the developer of a software product - Passwordstate in this case and then inject their malware into the legitimate application. As a result, whenever the users update the software, they would also receive the threatening payload. 

The Passwordstate attack is estimated to have lasted for 28 hours approximately. Any customer who initiated an update within that time frame has potentially been infected by Moserpass malware. The hackers managed to compromise the In-Place Upgrade functionality of the password manager. Afterward, they managed to force the upgrade director stored on Click Studios' website to take users to a corrupted Content Distribution Network (CDN) that carried the Moserpass malware instead of the legitimate CDN of the developer.