Researchers have come across a new Trojan program dubbed ZenRAT that is being distributed as an installer for the popular Bitwarden password management application, as well as employing other tricks to deceive users. The Trojan has information-stealing capabilities and hasn’t been documented before.
“Malware is often delivered via files that masquerade as legitimate application installers,” researchers from security firm Proofpoint said in a report. “End users should be mindful of only downloading software directly from the trusted source, and always check the domains hosting software downloads against domains belonging to the official website.”
ZenRAT is distributed from webpages that mimic the site bitwarden.com, the home for the Bitwarden open-source password manager. The page is only shown to visitors with Windows computers, those with Linux being directed to an article about Bitwarden cloned from a media site.
While it’s not clear how users are directed to the rogue Bitwarden page, researchers point out that fake installers have been distributed in the past through SEO poisoning, a technique that involves hijacking search results for various terms by artificially inflating the page rank of hacked websites to appear higher in results. Other techniques involve email and social media spam.
ZenRAT installer shows weirdness
The executable file offered to Windows users for download is called Bitwarden-Installer-version-2023-7-1.exe and it has been uploaded to the VirusTotal database before with the name CertificateUpdate-version1-102-90, suggesting this is not the first time the attackers have distributed ZenRAT as a fake application.
This might also explain several weird aspects of the installer. The metadata information displayed by Windows claims the installer is Piriform’s Speccy, a software application for gathering system specifications, not Bitwarden. It’s very likely the attackers simply copied the installer metadata from their previous variant or are mimicking multiple applications.
Furthermore, the file’s digital signature — which is broken and invalid — claims to be that of the developer of the open-source Filezilla FTP/SFTP software.
When executed, the installer drops an executable called ApplicationRuntimeMonitor.exe into C:Users[username]AppDataRoamingRuntime Monitor and runs it. This file’s metadata again claims to be something else, an application created by Monitoring Legacy World Ltd.
Upon execution, ZenRAT collects system information and sends it to the command-and-control (C2) server. This includes the CPU and GPU names, the OS version, the amount of RAM, IP address and gateway address, the installed antivirus program, and a list of installed applications. In addition, it also captures credentials saved inside browsers and sends them to the C2 server as well.
The malware is a modular RAT
The communication between the RAT and the C2 includes commands that involve the execution and update of modules. These are components that enable various functionalities which attackers can deliver to victims if they so choose after analyzing the initially captured information.
“The existence of the Task and Module ID fields implies that ZenRAT is designed to be a modular, extendable implant,” the researchers said. “At this time, we have not observed other modules being used in the wild.”
Another interesting command is one that asks the trojan to send back the logs about the tasks it executed and completed back to the server. This includes various checks performed on the system, including the result of attempts to detect if it was executed in a virtual machine which could indicate an automated malware scanner. Another check is for the language of the system, the malware not installing on systems with languages from former Soviet Union countries. This is a common check that malware authors from Russia and the CIS countries perform on systems, supposedly to avoid becoming a focus of local law enforcement in their own countries.