Enlarge (credit: Getty Images)
email, Passwordstate creator Click Studios told customers that bad actors compromised its upgrade mechanism and used it to install a malicious file on user computers. The file, named “moserware.secretsplitter.dll,” contained a legitimate copy of an app called SecretSplitter, along with malicious code named “Loader,” according to a brief writeup from security firm CSIS Group.
(credit: CSIS Group)
The Loader code attempts to retrieve the file archive at https://passwordstate-18ed2.kxcdn[.]com/upgrade_service_upgrade.zip so it can retrieve an encrypted second-stage payload. Once decrypted, the code is executed directly in memory. The email from Click Studios said that the code “extracts information about the computer system, and select Passwordstate data, which is then posted to the bad actors’ CDN Network.”
Read 8 remaining paragraphs | Comments
