A recently discovered malware variant named ZenRAT has surfaced, camouflaged within fraudulent Bitwarden installation bundles.
Proofpoint has uncovered ZenRAT, a modular remote access trojan (RAT) that specifically targets Windows users, prioritizing the theft of information. While the precise method of malware distribution remains undisclosed, prior occurrences of similar threats have frequently relied on SEO poisoning, adware bundles, or email campaigns.
ZenRAT first appeared on a deceptive website mimicking the real Bitwarden site, where it tricks Windows users with a fake Bitwarden download link, while redirecting non-Windows users to a cloned opensource.com article.
In late July 2023, the installer file first surfaced on VirusTotal with a different name. It disguises itself as “Piriform’s Speccy,” a program for collecting system specifications, and falsely claims to bear the signature of Tim Kosse, a well-known developer associated with Filezilla FTP/SFTP software.
Upon launch, ZenRAT adopts the guise of “ApplicationRuntimeMonitor.exe” and operates by collecting an extensive array of system information, including CPU and GPU specifics, operating system version, RAM capacity, IP address, as well as a list of installed antivirus software and applications.
This stolen data, along with browser information, is subsequently transmitted to a command-and-control (C2) server, employing a distinctive communication protocol.
The communication between ZenRAT and its C2 server involves a variety of parameters, including command IDs, data sizes, hardware IDs, bot IDs, versions, and builds.
ZenRAT boasts a notable array of commands in its repertoire, including log transmission, which exposes in-depth system assessments, geofencing, mutex establishment, disk size confirmation, and anti-virtualization precautions. While its modular design suggests potential for expanding its functionalities, as of now, only the core features have been observed in action.
In today’s advisory, Proofpoint strongly advises users to obtain software exclusively from trusted and reputable sources.
The advisory cautions, “End users should exercise caution by downloading software only from the official source and verifying the domains hosting software downloads against the official website. Additionally, individuals should remain vigilant when encountering ads in search engine results, as these have been a significant source of infections, particularly in the past year.”
Indicators of Compromise
|185[.]186.72.14:9890||Observed ZenRAT C2 server|
|185[.]156.72.8:9890||Observed nonresponsive ZenRAT C2 server|
|bitwariden[.]com||Bitwarden look-alike domain|
|crazygameis[.]com||Payload delivery domain|
|obsploject[.]com||OBS Project look-alike domain (recently registered, no longer responsive)|
|geogebraa[.]com||GeoGebra look-alike domain (recently registered, no longer responsive)|