A new strain of malware called ZenRAT has emerged in the wild being distributed via fake Bitwarden password manager installation packages.
“The malware specifically targets Windows users and will redirect people using other servers to a benign web page,” enterprise security firm Proofpoint said in a white paper. “The malware is a modular Remote Access Trojan (RAT) with information theft capabilities.”
ZenRAT is hosted on fake websites that purport to be associated with Bitwarden, although it is unclear how traffic is directed to the domains. This type of malware has been spread via phishing attacks, malvertising, or SEO poisoning in the past.
The payload (Bitwarden-Installer-version-2023-7-1.exe), downloaded from crazygameis(.)com, is a trojanized version of the standard Bitwarden installation package that contains a malicious .NET executable (ApplicationRuntimeMonitor.exe). .
A noteworthy aspect of the campaign is that users who end up visiting the deceptive website from non-Windows systems are redirected to a cloned opensource.com article published in March 2018 about “How to manage your passwords with Bitwarden, a alternative to LastPass”.
Additionally, Windows users who click on download links marked for Linux or macOS on the Downloads page are redirected to Bitwarden’s legitimate site, vault.bitwarden.com.
An analysis of the installer’s metadata reveals attempts by the threat actor to disguise the malware as Piriform’s Speccy, a free Windows utility for displaying hardware and software information.
The digital signature used to sign the executable is not only invalid, but also claims to be signed by Tim Kosse, a well-known German computer scientist known for developing the free cross-platform FTP software FileZilla.
ZenRAT, once started, collects details about the host, including CPU name, GPU name, OS version, browser credentials, and installed applications and security software, on a command server and control (C2) (185.186.72(.) 14) operated by threat actors.
“The client initiates communication with C2,” Proofpoint said. “Regardless of the command and additional data transmitted, the first packet is always 73 bytes.”
ZenRAT is also configured to transmit its logs to the server in plain text, which captures a series of system checks performed by the malware and the execution status of each module, indicating its use as an “extensible modular implant.”
To mitigate such threats, it is recommended that users download software only from trusted sources and ensure the authenticity of websites.
The disclosure comes as the information thief known as Lumma Stealer has been observed compromising the manufacturing, retail and commercial industries since early August 2023.
“The data stealer was delivered via drive-by downloads disguised as fake installers, such as Chrome and Edge browser installers, and some of them were distributed via PrivateLoader,” eSentire said earlier this month.
In a related campaign, fraudulent websites posing as Google Business Profile and Google Sheets were found to trick users into installing stealing malware called Stealc under the pretext of a security update.
“Unauthorized downloads continue to be a common method of spreading malware, including data thieves and uploaders,” the Canadian cybersecurity company said.