Windows users are being targeted by new ZenRAT malware using fake password manager software

 Windows users are being targeted by new ZenRAT malware using fake password manager software

 

ZenRAT, a brand-new malware outbreak that spreads via fake Bitwarden password manager installation packages, has surfaced in the open.

 

Enterprise security company Proofpoint stated in a technical analysis that the virus "is specifically targeting Windows users and will redirect people using other hosts to a benign web page." "The malware is a modular remote access trojan (RAT) with information-stealing capabilities."

 

Although it's unclear how traffic is being routed to the domains, ZenRAT is hosted on phony websites that claim to be affiliated with Bitwarden. Such viruses have previously been spread by phishing, malicious advertising, or SEO poisoning attempts.

 

The malicious.NET program, ApplicationRuntimeMonitor.exe, is part of the payload (Bitwarden-Installer-version-2023-7-1.exe), which was acquired from crazygameis.com. It is a trojanized version of the genuine Bitwarden installation package.

 

An interesting feature of the campaign is that non-Windows users who visit the fake website are routed to a copy of an opensource.com post from March 2018 on "How to manage your passwords with Bitwarden, a LastPass alternative."

 

Additionally, when Windows users click on download links on the Downloads page designated for Linux or macOS, they are sent to the official Bitwarden website, vault.bitwarden.com.

 

A threat actor attempted to disguise the malware as Piriform's Speccy, a freeware Windows application that displays hardware and software information, according to a study of the installer's metadata.

 

Not only is the executable's digital signature incorrect, but it also purports to be signed by Tim Kosse, a renowned German computer scientist best known for creating the open-source, cross-platform FTP program FileZilla.

 

After being started, ZenRAT collects information about the host, such as the name of the CPU, GPU, operating system version, browser credentials, installed apps, and security software, and sends it to a command-and-control (C2) server run by the threat actors (185.186.72[.]14).

 

"The client initiates communication with the C2," according to Proofpoint. No matter the command or additional data sent, the initial packet is always 73 bytes long.

 

Additionally, ZenRAT is set up to send unencrypted logs to the server, which record a number of system checks performed by the malware as well as the progress of each module's operation and point to its usage as a "modular, extendable implant."

 

It is advised that users only download software from reliable sources and validate the legitimacy of the websites in order to reduce the risks associated with such attacks.

 

The revelation comes at a time when the Lumma Stealer information thief has been suspected of targeting the commercial, retail, and manufacturing sectors since the beginning of August 2023.

 

According to eSentire, early this month, "the infostealer was delivered via drive-by downloads disguised as fake installers, such as Chrome and Edge browser installers, and some of them were distributed via PrivateLoader."

 

In a separate effort, fake Google Business Profile and Google Sheets websites were discovered to deceive users into installing the Stealth malware under the guise of a security update.

 

The Canadian cybersecurity firm stated that "drive-by downloads continue to be a common method to spread malware, such as information stealers and loaders."