A sophisticated info-stealing malware known as ZenRAT has been discovered hiding behind fraudulent installation packages of the popular open source password manager, Bitwarden. This targeted attack is specifically aimed at Windows users and employs a fake website to distribute the malicious packages.
The malware was first brought to the attention of researchers by Jérôme Segura, a senior director of threat intelligence at Malwarebytes. Segura shared a sample of ZenRAT with researchers at Proofpoint in August, and they recently detailed their findings in a blog post.
According to Proofpoint, Segura stumbled upon the malware on a website called bitwariden[.]com, which appeared to be associated with Bitwarden. The site was designed to closely resemble the legitimate bitwarden.com and included a convincing installation package for Bitwarden. However, this package actually contained the ZenRAT malware.
ZenRAT includes several modules that perform typical remote access Trojan (RAT) functions. These modules collect data on the system’s fingerprints, installed applications, and even steal passwords and other information from web browsers. The stolen data is then sent back to the attackers via a command-and-control server.
The threat actors responsible for this campaign took great care to ensure that the malicious packages were only distributed to Windows users. This was accomplished by presenting the fake Bitwarden download only to visitors accessing the site from a Windows host. Non-Windows users and those attempting to download for Linux or MacOS were redirected to the legitimate Bitwarden site.
The researchers have not yet determined how users initially reach the fake Bitwarden site. However, they speculate that historically similar attacks have been delivered through techniques such as SEO poisoning, adware bundles, or email.
Once a Windows user clicks to install the malicious package, a file called Bitwarden-Installer-version-2023-7-1.exe is downloaded. This file was first reported on VirusTotal on July 28 under a different name, CertificateUpdate-version1-102-90. The researchers note that the payload they observed was hosted on a site called crazygameis.com, which has since ceased hosting the malicious package.
After infecting a system, the installer file copies itself to a hidden file in the Temp directory and launches a self-deletion loop for both itself and the installer file. ZenRAT is then launched by an executable file called ApplicationRuntimeMonitor.exe, which creates an evasion mechanism by masquerading as a completely different application.
Once active, ZenRAT establishes communication with its command-and-control server and gathers information about the infected host, including CPU, GPU, OS version, installed RAM, IP address, installed antivirus, and installed applications. This information, along with stolen browser data and credentials, is sent back to the C2 server in a zip file.
This attack on Bitwarden follows a familiar pattern of threat actors exploiting password management technology to gain access to user’s credentials. In the past, similar campaigns have targeted Bitwarden and other password managers, such as 1Password. Attackers have also breached the password vaults of LastPass, one of the largest players in the industry.
To protect against these types of attacks, the researchers recommend that users only download software directly from trusted sources and verify the domains hosting the software downloads against the official website. Users should also be cautious of ads in search engine results, as they have been a major source of infection in recent years.
By staying vigilant and taking these precautions, users can prevent themselves from falling victim to malware disguised as legitimate software installers.