A new malware strain called ZenRAT has been spotted in the wild that is being delivered via fake installation packages of Bitwarden password manager.
Discovered by researchers at Proofpoint last month, the malware is a modular remote access trojan (RAT) that can also act as an info-stealer, which specifically targets Windows users.
The researchers were not able to identify the malware distribution method, however in the past instances of similar malware masquerading as fake software installers have been delivered via SEO Poisoning, adware bundles, or via email.
ZenRAT initially was spotted on a website mimicking the legitimate Bitwarden site. This fake website selectively displays a counterfeit Bitwarden download for Windows users while redirecting non-Windows users to a cloned opensource.com article. Additionally, if Windows users click download links marked for Linux or MacOS on the Downloads page, they are instead redirected to the legitimate Bitwarden site, vault.bitwarden.com.
Upon initial execution, ZenRAT contacts its command-and-control (C&C) server and collects and sends to the server information about the host such as CPU name, GPU name, OS version, installed security software and apps, etc.
ZenRAT supports several commands, including transmitting logs, which reveal detailed system checks, geofencing, mutex creation, disk size verification and anti-virtualization measures. The researchers noted that ZenRAT is designed to be a modular, extendable implant, however, they have not seen other modules being used in the wild, as of yet.
“Malware is often delivered via files that masquerade as legitimate application installers. End users should be mindful of only downloading software directly from the trusted source, and always check the domains hosting software downloads against domains belonging to the official website. People should also be wary of ads in search engine results, since that seems to be a major driver of infections of this nature, especially within the last year,” Proofpoint advised.