Search Tools Links Login

Bitwarden Imitators Distribute ZenRAT Malware: What You Need to Know

Posted: 2023-09-29
By: dwirch
Viewed: 226

Filed Under:

News, Security

No attachments for this post


Bogus Bitwarden websites are deploying installers that masquerade as the open-source password manager, but in actuality, contain a new password-thieving malware named ZenRAT. Targeted at Windows users, these counterfeit sites mirror the official Bitwarden platform, leveraging typosquatting techniques to deceive unsuspecting victims.

ZenRAT's primary function is to harvest browser information, login credentials, and specifics about the compromised device, essentially functioning as an information stealer. This stolen data enables cybercriminals to mimic the legitimate user, facilitating unauthorized access to accounts.

This new threat was unearthed by Proofpoint security researchers after Malwarebytes' Jérôme Segura supplied a malware sample in August. These cyber sleuths discovered the distribution point was a very convincing doppelganger of bitwarden.com, going by the domain name bitwariden[.]com.

Contained within the imitation Bitwarden installation kit was a malicious .NET executable, identified as a remote access trojan (RAT) with data-stealing capabilities, now recognized as ZenRAT. Interestingly, this nefarious site provides the counterfeit Bitwarden package exclusively to Windows users; all other users are directed to a cloned opensource.com article about the password manager.

The malware-loaded Bitwarden installer for Windows traces back to crazygameis[.]com, a counterfeit URL mimicking the legitimate gaming platform, CrazyGames.

The entry point for potential victims to this sham Bitwarden site remains uncertain. However, past attempts to target Bitwarden enthusiasts have exploited phishing schemes via Google ads.

Upon activation, ZenRAT employs WMI queries and additional system tools to accumulate a plethora of host data such as CPU and GPU names, OS version, RAM, IP details, antivirus software, and installed apps. This data, alongside pilfered browser info, is relayed to a command and control server. Interestingly, ZenRAT refrains from communicating with hosts located in select regions, like Russia and Ukraine, and checks for signs of research analysis.

There are oddities in the installer’s metadata, like the false claim of being associated with the hardware app Speccy. Another anomaly involves the installer's digital certificate, which falsely attributes Tim Kosse, the creator of open-source software FileZilla, as the signer.

Despite its evident design as an information thief, ZenRAT exhibits traits suggesting modularity, implying its potential for enhanced capabilities, though no additional modules have been spotted.

Bitwarden's increasing acclaim as a top-tier password manager also makes it an attractive cybercrime target, as its growing user base presents abundant opportunities for hackers to exploit.


Comments on this post

No comments have been added for this post.

You must be logged in to make a comment.