ZenRAT Malware Targets Windows Users Via Fake Bitwarden Password Manager Installation Package

/in


Windows operating systems are the target of new malware dubbed ZenRAT by U.S.-based cybersecurity company Proofpoint. The attackers built a website that impersonates the popular Bitwarden password manager; if accessed via Windows, the fake site delivers the ZenRAT malware disguised as Bitwarden software. It’s currently unknown if the malware is used by threat actors for cyberespionage or for financial fraud.

We’ll delve into the technical details and share more information from Proofpoint researchers, as well as provide tips on mitigating this ZenRAT malware threat.

Jump to:

What is ZenRAT malware, and what happens when it’s executed?

ZenRAT is malware developed in .NET. It was previously unreported and specifically targets Microsoft Windows operating systems. Once executed, the ZenRAT malware queries the system to gather information:

  • CPU and GPU names.
  • Operating system version.
  • RAM capabilities.
  • IP address and gateway IP address.
  • Installed software including antivirus.

The data is sent as a ZIP archive file to its command and control server, along with stolen browser data and credentials. The ZIP file contains two files named InstalledApps.txt and SysInfo.txt. Proofpoint told TechRepublic that they ” … observed ZenRAT stealing data from both Chrome and Firefox” and believe “It’s reasonable to assume that it would have support for most Chromium-based browsers.”

The malware executes several checks when running. For starters, it checks that it doesn’t operate from Belarus, Kyrgyzstan, Kazakhstan, Moldova, Russia or Ukraine.

Then, the malware ensures it doesn’t already run on the system by checking for a specific mutex and that the hard drive isn’t less than 95GB in size, which might indicate a sandbox system to the malware. It also checks for known virtualization products’ process names to verify it isn’t running in a virtualized environment.

Once the checks have been passed, the malware sends a ping command to be sure it’s connected to the internet, and checks if there is an update for the malware.

In addition, the malware has the ability to send its log files to the C2 server in clear text, probably for debugging…

Source…