ZenRAT Malware Uncovered in Bitwarden Impersonation

ZenRAT Malware Uncovered in Bitwarden Impersonation

A recently discovered malware variant named ZenRAT has surfaced, camouflaged within fraudulent Bitwarden installation bundles.

ZenRAT Malware

Proofpoint has uncovered ZenRAT, a modular remote access trojan (RAT) that specifically targets Windows users, prioritizing the theft of information. While the precise method of malware distribution remains undisclosed, prior occurrences of similar threats have frequently relied on SEO poisoning, adware bundles, or email campaigns.

ZenRAT first appeared on a deceptive website mimicking the real Bitwarden site, where it tricks Windows users with a fake Bitwarden download link, while redirecting non-Windows users to a cloned opensource.com article.

In late July 2023, the installer file first surfaced on VirusTotal with a different name. It disguises itself as “Piriform’s Speccy,” a program for collecting system specifications, and falsely claims to bear the signature of Tim Kosse, a well-known developer associated with Filezilla FTP/SFTP software.

Upon launch, ZenRAT adopts the guise of “ApplicationRuntimeMonitor.exe” and operates by collecting an extensive array of system information, including CPU and GPU specifics, operating system version, RAM capacity, IP address, as well as a list of installed antivirus software and applications.

This stolen data, along with browser information, is subsequently transmitted to a command-and-control (C2) server, employing a distinctive communication protocol.

The communication between ZenRAT and its C2 server involves a variety of parameters, including command IDs, data sizes, hardware IDs, bot IDs, versions, and builds.

ZenRAT boasts a notable array of commands in its repertoire, including log transmission, which exposes in-depth system assessments, geofencing, mutex establishment, disk size confirmation, and anti-virtualization precautions. While its modular design suggests potential for expanding its functionalities, as of now, only the core features have been observed in action.

In today’s advisory, Proofpoint strongly advises users to obtain software exclusively from trusted and reputable sources.

The advisory cautions, “End users should exercise caution by downloading software only from the official source and verifying the domains hosting software downloads against the official website. Additionally, individuals should remain vigilant when encountering ads in search engine results, as these have been a significant source of infections, particularly in the past year.”

Indicators of Compromise 

IP AddressPurpose
185[.]186.72.14:9890Observed ZenRAT C2 server
185[.]156.72.8:9890Observed nonresponsive ZenRAT C2 server
bitwariden[.]comBitwarden look-alike domain
crazygameis[.]comPayload delivery domain
obsploject[.]comOBS Project look-alike domain (recently registered, no longer responsive)
geogebraa[.]comGeoGebra look-alike domain (recently registered, no longer responsive)
SHA256Observed Filename

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!