A new malware strain called ZenRAT has emerged in the wild that's distributed via bogus installation packages of the Bitwarden password manager.

"The malware is specifically targeting Windows users and will redirect people using other hosts to a benign web page," enterprise security firm Proofpoint said in a technical report. "The malware is a modular remote access trojan (RAT) with information stealing capabilities."

ZenRAT is hosted on fake websites pretending to be associated with Bitwarden, although it's uncertain as to how traffic is being directed to the domains. Such malware has been propagated via phishing, malvertising, or SEO poisoning attacks in the past.

The payload (Bitwarden-Installer-version-2023-7-1.exe), downloaded from crazygameis[.]com, is a trojanized version of the standard Bitwarden installation package that contains a malicious .NET executable (ApplicationRuntimeMonitor.exe).

Cybersecurity

A noteworthy aspect of the campaign is that users who end up visiting the deceptive website from non-Windows systems are redirected to a cloned opensource.com article published in March 2018 about "How to manage your passwords with Bitwarden, a LastPass alternative."

Further, Windows users clicking on downloading links marked for Linux or macOS on the Downloads page are redirected to the legitimate Bitwarden site, vault.bitwarden.com.

An analysis of the installer's metadata reveals attempts on the part of the threat actor to masquerade the malware as Piriform's Speccy, a freeware Windows utility to show hardware and software information.

The digital signature used to sign the executable is not only invalid, but also claims to be signed by Tim Kosse, a well-known German computer scientist known for developing the free cross-platform FTP software FileZilla.

ZenRAT, once launched, gathers details about the host, including CPU name, GPU name, operating system version, browser credentials, and installed applications and security software, to a command-and-control (C2) server (185.186.72[.]14) operated by the threat actors.

"The client initiates communication to the C2," Proofpoint said. "Regardless of the command, and extra data transmitted, the first packet is always 73 bytes."

ZenRAT is also configured to transmit its logs to the server in plaintext, which captures a series of system checks carried out by the malware and the status of the execution of each module, indicating its use as a "modular, extendable implant."

To mitigate such threats, it's recommended that users download software only from trusted sources and ensure the authenticity of the websites.

The disclosure comes as the information stealer known as Lumma Stealer has been observed compromising manufacturing, retail, and business industries since the beginning of August 2023.

Cybersecurity

"The infostealer was delivered via drive-by downloads disguised as fake installers such as Chrome and Edge browser installers, and some of them were distributed via PrivateLoader," eSentire said earlier this month.

In a related campaign, rogue websites impersonating Google Business Profile and Google Sheets were found to trick users into installing a stealer malware dubbed Stealc under the pretext of a security update.

"Drive-by downloads continue to be a prevalent method to spread malware, such as information stealers and loaders," the Canadian cybersecurity company noted.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.