ZenRAT Malware Targets Windows Users Via Fake Bitwarden Password Manager Installation Package

We Keep you Connected

ZenRAT Malware Targets Windows Users Via Fake Bitwarden Password Manager Installation Package

ZenRAT Malware Targets Windows Users Via Fake Bitwarden Password Manager Installation Package
Your email has been sent
We talked to Proofpoint researchers about this new malware threat and how it infects Windows systems to steal information.
Windows operating systems are the target of new malware dubbed ZenRAT by U.S.-based cybersecurity company Proofpoint. The attackers built a website that impersonates the popular Bitwarden password manager; if accessed via Windows, the fake site delivers the ZenRAT malware disguised as Bitwarden software. It’s currently unknown if the malware is used by threat actors for cyberespionage or for financial fraud.
We’ll delve into the technical details and share more information from Proofpoint researchers, as well as provide tips on mitigating this ZenRAT malware threat.
Jump to:
ZenRAT is malware developed in .NET. It was previously unreported and specifically targets Microsoft Windows operating systems. Once executed, the ZenRAT malware queries the system to gather information:
The data is sent as a ZIP archive file to its command and control server, along with stolen browser data and credentials. The ZIP file contains two files named InstalledApps.txt and SysInfo.txt. Proofpoint told TechRepublic that they ” … observed ZenRAT stealing data from both Chrome and Firefox” and believe “It’s reasonable to assume that it would have support for most Chromium-based browsers.”
The malware executes several checks when running. For starters, it checks that it doesn’t operate from Belarus, Kyrgyzstan, Kazakhstan, Moldova, Russia or Ukraine.
Then, the malware ensures it doesn’t already run on the system by checking for a specific mutex and that the hard drive isn’t less than 95GB in size, which might indicate a sandbox system to the malware. It also checks for known virtualization products’ process names to verify it isn’t running in a virtualized environment.
Once the checks have been passed, the malware sends a ping command to be sure it’s connected to the internet, and checks if there is an update for the malware.
In addition, the malware has the ability to send its log files to the C2 server in clear text, probably for debugging purposes, although all the other communications are encrypted.
Attackers have built a website bitwariden[.]com that impersonates the popular Bitwarden password manager. The website is a very convincing copy of the legitimate website from Bitwarden (Figure A).
Figure A
If accessed via a Windows operating system, the fake website delivers the ZenRAT malware disguised as Bitwarden software. If a non-Windows system user browses the website, the content is completely different, and the user is shown an article copied from opensource.com about Bitwarden Password Manager.
If a Windows user clicks on the Linux or Mac download link for Bitwarden, they’re redirected to the legitimate download pages from Bitwarden.
After a Windows user clicks the download link from the fake website, a file named Bitwarden-Installer-version-2023-7-1.exe is downloaded from another domain, crazygameis[.]com, which isn’t available anymore.
The malicious installer was first reported on the VirusTotal platform on July 28, 2023 yet under a different name: CertificateUpdate-version1-102-90. This might indicate that there may have been a previous infection campaign in which attackers might have triggered another social engineering trick based on certificates.
The metadata for the file contains bogus information. The installer claims to be Piriform’s Speccy, a software application for gathering systems specifications. It also claims to be signed by Tim Kosse, a developer famous for the FileZilla FTP/SFTP software, but the file signature is invalid.
When we asked Proofpoint’s Threat Research team about why the attacker didn’t change the metadata to fit the Bitwarden application better, they said “It is possible the actor was lazy, or just didn’t want to bother with changing it. Many consumers do not pay attention to these details. If the filename looks right, they’ll probably execute it without questioning file metadata or digital signatures.”
Once launched, the installer creates a copy of itself into the AppDataLocalTemp folder of the currently logged-in user. It also creates a hidden file named .cmd in the same folder. The .cmd file deletes the installer and itself using a command line loop. An executable file named ApplicationRuntimeMonitor.exe is placed into the user’s AppDataRoamingRunTimeMonitor folder before being executed.
ZenRAT has been designed to be modular, although Proofpoint didn’t see additional modules. It’s expected that more modules might be developed and implemented with ZenRAT in the future.
Proofpoint indicated it’s not known how the malware is being distributed; however, links to the fake Bitwarden website are probably sent to targets via email, social networks, instant messaging, via fake ads or SEO poisoning.
As noted by Proofpoint, people should be wary of ads in search engine results, because it seems to be a major driver of infections of this nature, especially within the last year.
It’s advised to deploy security solutions that are able to analyze email links and attached files, in addition to security solutions monitoring endpoints and servers.
Operating systems and all software running on it should always be kept up to date and patched to avoid being compromised by a common vulnerability.
Users should also be wary of invalid digital certificates when running an executable file that has a nonvalid digital signature. Current Microsoft Windows systems are configured by default to alert users about such a file before executing it. When in doubt, users shouldn’t execute the file and ask their IT staff about it.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
ZenRAT Malware Targets Windows Users Via Fake Bitwarden Password Manager Installation Package
Your email has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
Microsoft is also running a grant competition for ideas on using AI training in community building.
Generative AI will be a game changer in cloud security, especially in common pain points like preventing threats, reducing toil from repetitive tasks, and bridging the cybersecurity talent gap.
Does your business need a payroll provider that offers international payroll services? Use our buyer’s guide to review the best solutions, from ADP to Oyster.
Get up and running with ChatGPT with this comprehensive cheat sheet. Learn everything from how to sign up for free to enterprise use cases, and start using ChatGPT quickly and effectively.
Looking for an alternative to monday.com? Our comprehensive list covers the best monday alternatives, their key features, pricing, pros, cons and more.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
TechRepublic Premium was at Confluent’s Current 2023 event, held in San Jose, California, September 26-27. Our coverage of the event comprises an analysis of data streaming, interviews, the role of stream governance and a look at Apache Flink. From the download: Confluent used the Current 2023 ‘next generation of Kafka Summit’ event in San Jose …
Fintech is a fast changing landscape that constantly introduces cutting-edge ideas and developments. TechRepublic Premium presents this quick glossary of fintech terms and concepts to help you understand technological breakthroughs and make educated decisions. From the glossary: DECENTRALIZED FINANCE Often referred to as DeFi, this utilizes emerging technology to remove third parties and central financial …
Money laundering poses a detrimental impact on businesses and the economy as a whole. According to the United Nations Office on Drugs and Crimes, the amount of money laundered around the world in a single year is presumed to be 2–5% of global GDP, which is roughly $800 billion to $2 trillion. The purpose of …
Modern video games rely on a cornucopia of sounds to engage and engross players. Whether it is ambient sound to set the mood, music to invoke a feeling or dialog to tell the story, sound is vital to the immersive experience of a video game. The individual responsible for meshing all those disparate sounds together …

source

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE