If you’ve installed Bitwarden Password Manager recently, ensure that you downloaded it from its official website and not from a fraudulent, malicious source.
- ZenRAT malware is distributed as an installation package for the widely used Bitwarden password manager.
- Malware operators have designed a fake Bitwarden website to deliver the malware.
- It specifically looks for Windows-based devices.
- ZenRAT is a modular RAT capable of stealing sensitive information.
Enterprise security firm Proofpoint’s cybersecurity researchers have discovered a spooky new malware distributed as an installation package for the popular password manager Bitwarden to deceive users and steal sensitive data from their devices.
This bogus installation package, dubbed ZenRAT, is delivered via a fake Bitwarden website, which looks exactly like the original one but is not legitimate. If a user pays attention, it is easy to catch that malware operators have used the typosquatting technique because the fake website is titled bitwaridencom.
ZenRAT’s main targets are unsuspecting Windows users. If a visitor clicks on the downloadable link marked for another platform (e.g., Linux or macOS), they are redirected to the original Bitwarden website (vault.bitwarden.com) on the Downloads page. If a Windows user clicks on it, their device will be infected with ZenRAT, and the malware will establish a connection with its C2 server (185.186.7214).
Once this is done, the malware will collect desired data, including system details and stored credentials. ZenRAT can steal information like the CPU and GPU names, OS version, RAM, IP address, and device gateway. It will also extract information about installed antivirus solutions and other apps. It can also steal browser data and passwords. ZenRAT transmits the logs to the C2 server in plaintext.
It redirects the website visitors to a benign website. However, researchers didn’t specify how the visitors are redirected to the website. Previously, the malware was distributed in such campaigns through phishing, SEO poisoning, or malvertising attacks. The payload is titled Bitwarden-installer-version-2023-7-1.exe and downloaded via crazygamescom. This trojanized version of the legit Bitwarden installer contains a .NET executable titled (ApplicationRuntimeMonitor.exe).
According to Proofpoint’s blog post, when researchers examined the malicious installer package’s metadata, they observed that the attacker had masqueraded it as Priform’s Speccy. It is a freeware Windows utility that displays hardware/software-related information.
Moreover, the executable has an invalid signature that seems to be signed by FileZilla fame German computer scientist Tim Kosse. However, this signature is also fake. This modular RAT also runs anti-sandbox and anti-VM checks to determine if it is safe to operate on the device. The checks also include geofencing to ensure it isn’t installed in any Russian-speaking region.
Exercise Caution When Using a Password Manager
Researchers strongly advise users to exercise caution when downloading software and recommend obtaining applications exclusively from official sources. It’s worth noting that password managers have frequently been targeted in cyberattacks and scams, with LastPass being a notable example.
As a safer alternative, the top three browsers—Google Chrome, Mozilla Firefox, and Safari—offer free password manager features. If you’re unsure about which service to use, any of these three options would provide similar benefits and, in some cases, may be more secure than others.