ZenRAT Targets Windows Users with Fake Bitwarden Site

Hackers are using a bogus download page for Bitwarden’s password manager solution to target Windows users with a new remote access trojan (RAT) that’s designed to steal credentials and a range of information about the compromised system.

Threat intelligence researchers with cybersecurity firm Proofpoint are still sorting through all aspects of the ZenRAT malware, including how exactly it’s distributed, but they wrote in a report this week that it only attacks Windows users, essentially redirecting non-Windows users who try to get into the malicious website to other benign pages.

“At this time, it is unknown how the malware is being distributed,” they wrote. “However historic activities that have masqueraded as fake software installers have been delivered via SEO Poisoning, adware bundles, or via email.”

Jérôme Segura, senior director of threat intelligence for Malwarebytes, initially sent Proofpoint a sample of the malware in early August. The sample was found on a website designed to look like it was associated with Bitwarden, a seven-year-old company that offers an open source password management service that stores sensitive information like usernames and passwords in an encrypted vault.

‘A Very Convincing Lookalike’

The fake site was “a very convincing lookalike to the real bitwarden.com. Packaged with a standard Bitwarden installation package is a malicious .NET executable that we have dubbed ‘ZenRAT,’” the Proofpoint researchers wrote.

The attackers are particular about their targets. According to Proofpoint, the malicious site will only display the fake Bitwarden download if it’s accessed from a Windows host.

If a user tries to access the domain from a non-Windows system, the site instead pretends to be “opensource.com,” a legitimate website, and displays a column from Opensource.com written by Scott Nesbitt in 2018 about managing passwords using Bitwarden, described as an alternative to LastPass.

“Additionally, if Windows users click download links marked for Linux or MacOS on the Downloads page, they are instead redirected to the legitimate Bitwarden site, vault.bitwarden.com,” the researchers wrote.

That said, if a Windows user clicked on the Download button or the download button for the Windows desktop installer, the payload – Bitwarden-Installer-version-2023-7-1.exe – was downloaded from crazygamesis[.]com, though it doesn’t seem as though the domain is still hosting the payload, they wrote.

This trojanized copy of Bitwarden’s standard installation package includes the ZenRAT .NET executable, ApplicationRuntimeMonitor.exe.

Changing Identities

The malicious installer was first reported to the VirusTotal site in late July under the name “CertificateUpdate-version1-102-90,” but now carries the Bitwarden name.

Delving deeper into the installer, the researchers found that it tried to masquerade as Piriform Software’s Speccy, a freeware utility for Windows that displays information about a system’s hardware and software.

In addition, the installer’s digital signature is invalid, claiming to be signed by Tim Kosse, an open source software developer known for creating the free Filezilla cross-platform FTP software.

ZenRAT itself also looks to fly under the radar by including metadata that is aimed at making it appear to be another application created by Monitoring Legacy World Ltd.

Gathering the System Data

Once in the system, ZenRAT uses Windows Management Instrumentation (WMI) and other tools in the system to collect a range of information about the host, including the CPU and GPU name, OS version, IP address and gateway, and installed RAM, antivirus, and applications.

The modular RAT sends the information and stolen browser data and credentials to its command-and-control (C2) server in a zip file called Data.zip with the filenames InstalledApps.txt and SysInfo.txt. The first packet of data sent to the C2 is always 73 bytes.

The Proofpoint researchers noted that “malware is often delivered via files that masquerade as legitimate application installers. End users should be mindful of only downloading software directly from the trusted source, and always check the domains hosting software downloads against domains belonging to the official website.”

They also warned users of ads in search engine results, which is a key source of these kinds of infections, particularly over the past year.

One person on a Reddit thread understood the need for a password manager and that some people might fooled into downloading malware through such as scheme.

“But the Bitwarden installer is digitally signed,” the person wrote. “Do people really go down alone in the dark to the murder basement, not just in bad horror movies? Is it really that common that people will run untrusted unsIgned apps on their device? (Sigh.)”

Another person was more forgiving in their response.

“Haha, fear of the dark is probably already in the genetic code, fear of unsigned executables? Not so much,” they wrote. “People have bad days, do mindless things, do recommended things from advice on the internet. Probably happens to the best of us.”

Avatar photo

Jeffrey Burt

Jeffrey Burt has been a journalist for more than three decades, writing about technology since 2000. He’s written for a variety of outlets, including eWEEK, The Next Platform, The Register, The New Stack, eSecurity Planet, and Channel Insider.

jeffrey-burt has 153 posts and counting.See all posts by jeffrey-burt

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)