ZenRAT Malware Uncovered in Bitwarden Impersonation

Written by

A new malware strain called ZenRAT has emerged, concealed within counterfeit Bitwarden installation packages.

Discovered by Proofpoint, ZenRAT is a modular remote access trojan (RAT) specifically targeting Windows users with a primary focus on information theft. While the exact method of distributing the malware remains undisclosed, past instances of similar threats have often utilized SEO poisoning, adware bundles or email campaigns.

ZenRAT initially appeared on a deceptive website closely resembling the legitimate Bitwarden site. This malicious website selectively displays a counterfeit Bitwarden download for Windows users while redirecting non-Windows users to a cloned opensource.com article. 

The installer file was initially reported on VirusTotal under a different name in late July 2023. The malware masquerades as “Piriform’s Speccy,” a gathering system specifications program, and pretends to bear the signature of Tim Kosse, a developer recognized for the Filezilla FTP/SFTP software.

ZenRAT, which poses as ApplicationRuntimeMonitor.exe once launched, functions by gathering a wide range of system information upon execution, such as CPU and GPU details, operating system version, RAM, IP address, installed antivirus software and applications. 

This stolen data, along with browser information, is subsequently transmitted to a command-and-control (C2) server, employing a distinctive communication protocol.

Read more on infostealers: ThirdEye Infostealer Poses New Threat to Windows Users

The communication process between ZenRAT and its C2 server is characterized by various command IDs, data sizes, hardware IDs, bot IDs, versions and builds. 

Notably, ZenRAT supports several commands, including transmitting logs, which reveal detailed system checks, geofencing, mutex creation, disk size verification and anti-virtualization measures. ZenRAT’s modular design implies potential for extending its capabilities, although, as of now, only the core functionality has been observed.

In an advisory published today, Proofpoint strongly urged users to download software exclusively from reputable sources.

“End users should be mindful of only downloading software directly from the trusted source, and always check the domains hosting software downloads against domains belonging to the official website,” reads the advisory.

“People should also be wary of ads in search engine results since that seems to be a major driver of infections of this nature, especially within the last year.”

UPDATE: The article has been updated on 27/09/2023 to clarify the fact that the malware claims to be signed by Tim Kosse, but it is not.

What’s hot on Infosecurity Magazine?