Windows operating systems are the target of new malware dubbed ZenRAT by U.S.-based cybersecurity company Proofpoint. The attackers built a website that impersonates the popular Bitwarden password manager; if accessed via Windows, the fake site delivers the ZenRAT malware disguised as Bitwarden software. It’s currently unknown if the malware is used by threat actors for cyberespionage or for financial fraud.
We’ll delve into the technical details and share more information from Proofpoint researchers, as well as provide tips on mitigating this ZenRAT malware threat.
Jump to:
- What is ZenRAT malware, and what happens when it’s executed?
- ZenRAT pretends to be a Bitwarden password manager package
- How to protect from this ZenRAT malware threat
What is ZenRAT malware, and what happens when it’s executed?
ZenRAT is malware developed in .NET. It was previously unreported and specifically targets Microsoft Windows operating systems. Once executed, the ZenRAT malware queries the system to gather information:
- CPU and GPU names.
- Operating system version.
- RAM capabilities.
- IP address and gateway IP address.
- Installed software including antivirus.
The data is sent as a ZIP archive file to its command and control server, along with stolen browser data and credentials. The ZIP file contains two files named InstalledApps.txt and SysInfo.txt. Proofpoint told TechRepublic that they ” … observed ZenRAT stealing data from both Chrome and Firefox” and believe “It’s reasonable to assume that it would have support for most Chromium-based browsers.”
The malware executes several checks when running. For starters, it checks that it doesn’t operate from Belarus, Kyrgyzstan, Kazakhstan, Moldova, Russia or Ukraine.
Then, the malware ensures it doesn’t already run on the system by checking for a specific mutex and that the hard drive isn’t less than 95GB in size, which might indicate a sandbox system to the malware. It also checks for known virtualization products’ process names to verify it isn’t running in a virtualized environment.
Once the checks have been passed, the malware sends a ping command to be sure it’s connected to the internet, and checks if there is an update for the malware.
In addition, the malware has the ability to send its log files to the C2 server in clear text, probably for debugging purposes, although all the other communications are encrypted.
ZenRAT pretends to be a Bitwarden password manager package
Attackers have built a website bitwariden[.]com that impersonates the popular Bitwarden password manager. The website is a very convincing copy of the legitimate website from Bitwarden (Figure A).
Figure A
If accessed via a Windows operating system, the fake website delivers the ZenRAT malware disguised as Bitwarden software. If a non-Windows system user browses the website, the content is completely different, and the user is shown an article copied from opensource.com about Bitwarden Password Manager.
If a Windows user clicks on the Linux or Mac download link for Bitwarden, they’re redirected to the legitimate download pages from Bitwarden.
After a Windows user clicks the download link from the fake website, a file named Bitwarden-Installer-version-2023-7-1.exe is downloaded from another domain, crazygameis[.]com, which isn’t available anymore.
The malicious installer was first reported on the VirusTotal platform on July 28, 2023 yet under a different name: CertificateUpdate-version1-102-90. This might indicate that there may have been a previous infection campaign in which attackers might have triggered another social engineering trick based on certificates.
The metadata for the file contains bogus information. The installer claims to be Piriform’s Speccy, a software application for gathering systems specifications. It also claims to be signed by Tim Kosse, a developer famous for the FileZilla FTP/SFTP software, but the file signature is invalid.
When we asked Proofpoint’s Threat Research team about why the attacker didn’t change the metadata to fit the Bitwarden application better, they said “It is possible the actor was lazy, or just didn’t want to bother with changing it. Many consumers do not pay attention to these details. If the filename looks right, they’ll probably execute it without questioning file metadata or digital signatures.”
Once launched, the installer creates a copy of itself into the AppData\Local\Temp folder of the currently logged-in user. It also creates a hidden file named .cmd in the same folder. The .cmd file deletes the installer and itself using a command line loop. An executable file named ApplicationRuntimeMonitor.exe is placed into the user’s AppData\Roaming\RunTimeMonitor\ folder before being executed.
ZenRAT has been designed to be modular, although Proofpoint didn’t see additional modules. It’s expected that more modules might be developed and implemented with ZenRAT in the future.
How to protect from this ZenRAT malware threat
Proofpoint indicated it’s not known how the malware is being distributed; however, links to the fake Bitwarden website are probably sent to targets via email, social networks, instant messaging, via fake ads or SEO poisoning.
As noted by Proofpoint, people should be wary of ads in search engine results, because it seems to be a major driver of infections of this nature, especially within the last year.
It’s advised to deploy security solutions that are able to analyze email links and attached files, in addition to security solutions monitoring endpoints and servers.
Operating systems and all software running on it should always be kept up to date and patched to avoid being compromised by a common vulnerability.
Users should also be wary of invalid digital certificates when running an executable file that has a nonvalid digital signature. Current Microsoft Windows systems are configured by default to alert users about such a file before executing it. When in doubt, users shouldn’t execute the file and ask their IT staff about it.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
