ZenRAT Malware Disguised as Bitwarden Password Manager Targets Windows Users

A newly identified malware strain known as ZenRAT has surfaced, and it’s being distributed through counterfeit installation packages of the popular Bitwarden password manager. This malware is specifically designed to target Windows users, and it operates by redirecting users of other operating systems to benign web pages. ZenRAT is categorized as a modular Remote Access Trojan (RAT) with capabilities for stealing sensitive information.

Proofpoint, an enterprise security firm, discovered ZenRAT and detailed its operation in a recent technical report. According to the report, the malware is hosted on fraudulent websites that impersonate Bitwarden-related domains. However, it remains unclear how traffic is being directed to these deceptive websites. Historically, malware of this kind has been propagated through various means, including phishing attacks, malvertising campaigns, or SEO poisoning tactics.

The malicious payload, named “Bitwarden-Installer-version-2023-7-1.exe,” is downloaded from a domain called “crazygameis[.]com.” This file is a trojanized version of the standard Bitwarden installation package and contains a malicious .NET executable known as “ApplicationRuntimeMonitor.exe.”

A notable aspect of this campaign is the attackers’ redirection strategy. If a user visits the deceptive website from a non-Windows system, they are automatically redirected to a cloned article from opensource.com, dated March 2018, discussing “How to manage your passwords with Bitwarden, a LastPass alternative.” Furthermore, Windows users who click on download links intended for Linux or macOS on the Downloads page are redirected to the legitimate Bitwarden website, vault.bitwarden.com.

An analysis of the installer’s metadata reveals the threat actor’s attempt to disguise the malware as Piriform’s Speccy, a legitimate freeware Windows utility used for displaying hardware and software information. The digital signature used to sign the executable is not only invalid but also falsely claims to be signed by Tim Kosse, a well-known German computer scientist renowned for developing the free cross-platform FTP software FileZilla.

Once ZenRAT is executed, it collects various details about the infected host, including CPU and GPU information, operating system version, browser credentials, and a list of installed applications and security software. This information is then transmitted to a command-and-control (C2) server, specifically to an IP address (185.186.72[.]14) operated by the threat actors.

Interestingly, ZenRAT exhibits modular and extendable characteristics, making it a versatile implant capable of adapting to different attack scenarios. The malware’s logs are sent to the C2 server in plaintext, providing insights into the execution status of each module and various system checks performed by the malware.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: thehackernews.com

Source Link