Novel ZenRAT Scurries Onto Systems via Fake Password Manager Tool

A novel info-stealing malware variant is lurking behind fake installation packages of the open source password manager Bitwarden, in an elaborate scheme exclusively targeting Windows users.

The attack uses a fake website to distribute the packages.

Researcher Jérôme Segura, senior director of threat intelligence at Malwarebytes, shared a sample of the malware — dubbed ZenRAT — with researchers at Proofpoint in August, they revealed in a blog post published this week.

Segura had discovered the malware on a website, bitwariden[.]com, purporting to be associated with Bitwarden and "a very convincing lookalike to the real bitwarden.com," Proofpoint's Tony Robinson and the Proofpoint Threat Research Team wrote in the post. ZenRAT came packaged as a .NET executable with a standard Bitwarden installation package being distributed by the site.

The malware includes several modules that perform typical RAT functions, such as collecting system-fingerprinting and installed-applications data, and stealing passwords and other information from browsers to send back to attackers via a command-and-control (C2) server.

The threat actors behind the campaign went to great lengths to ensure that the malicious packages are distributed only to people who would use Bitwarden on a Windows platform because the impersonation site presents the fake Bitwarden download to users only if they access it via a Windows host.

Non-Windows users attempting to navigate to the domain are redirected to a cloned opensource.com article about the password manager, while Windows users clicking download links marked for Linux or MacOS are instead redirected to the legitimate Bitwarden site, vault.bitwarden.com, the researchers noted.

How users reach the fake Bitwarden site in the first place is as yet unknown, though "historic activities that have masqueraded as fake software installers have been delivered via SEO Poisoning, adware bundles, or via email," the researchers wrote.

How ZenRAT Works

If a Windows user clicks to install the malicious package, it results in an attempt to download Bitwarden-Installer-version-2023-7-1.exe, which appears to have been first reported on VirusTotal on July 28 under a different name, CertificateUpdate-version1-102-90. The payload observed by the researchers was hosted on the domain crazygameis.com, which by the time the blog post was written had ceased hosting the malicious package, the researchers noted.

Once a system is infected, the installer file copies itself to C:\Users\[username]\Appdata\Local\Temp and creates a hidden file, .cmd, in the same directory. This file launches a self-deletion loop for both itself and the installer file.

The installer places a copy of an executable, ApplicationRuntimeMonitor.exe, into C:\Users\[username]\AppData\Roaming\Runtime Monitor\, and runs it, effectively launching ZenRAT, which "features some interesting metadata claiming to be a completely different application," the researchers noted. Indeed, the file properties of the malware claim that it is created by Monitoring Legacy World Ltd, likely as an evasion mechanism.

The malware's first order of business once it starts running is to establish communication with C2 and use WMI queries and other system tools to gather information about the host. This info includes: CPU name, GPU name, OS version, installed RAM, IP address and gateway, installed antivirus, and installed applications.

The researchers observed the malware sending this information back to its C2 server along with stolen browser data/credentials in a zip file called Data.zip that uses the file names InstalledApps.txt and SysInfo.txt.

Targeting Password Managers

The scenario isn't the first time threat actors have targeted Bitwarden or other password management technology for malicious activity as a way to target the credentials hosted in their password vaults.

A previous campaign delivered paid ads to credential- stealing phishing sites in response to searches for Bitwarden, which has more than 15 million users, and a similar technology, 1Password. Attackers also have previously breached the customer password vault of LastPass, one of the largest players in the space.

Since malware is often delivered via files that masquerade as legitimate application installers, the researchers recommended that end users consistently be mindful only to download software directly from the trusted source. People also should verify the domains hosting software downloads against domains belonging to the official website to ensure that the install package is legitimate and not being hosted by a malicious site.

Another way to avoid being compromised by malicious installers is to be wary of ads in search engine results, the researchers noted, "since that seems to be a major driver of infections of this nature, especially within the last year."