New ZenRAT Malware Targeting Windows Users via Fake Password Manager Software

Cyber Security Threat Summary:
Researchers at Proofpoint have uncovered a new malware strain dubbed ZenRAT which is being distributed via bogus installation packages of the Bitwarden password manager. ZenRAT is a modular remote access trojan that comes with various modules designed to steal information from victims’ systems. Although researchers noted that ZenRAT is being hosted on fake websites pretending to be associated with Bitwarden, it’s unclear how end users are being directed to these sites. However, it’s common for actors to propagate such malware via phishing, malvertising, or SEO poisoning attacks. For its part, ZenRAT, once executed on the victim’s system will gather details about the host, including CPU name, GPU name, operating system version, browser credentials, and installed applications and security software, which is then sent off to a C2 server operated by the threat actors. The trojan is also configured to transmit logs to the C2 server in plaintext, which captures a series of system checks carried out by the malware and the status of the execution of each module, indicating its use as a ‘modular, extendable implant.’

Security Officer Comments:
ZenRAT is designed specifically to target Windows systems with users of other operating systems being directed to benign web pages. According to researchers they observed one incident where users of non-windows systems were redirected to a cloned open-source article published in March 2018 pertaining to how users can manage passwords with Bitwarden. Researchers also noted that if Windows users click on download links marked for Linux or MacOS on fake Bitwarden pages, then they would be instead redirected to the legitimate Bitwarden site.

Suggested Correction(s):
(Proofpoint) Malware is often delivered via files that masquerade as legitimate application installers. End users should be mindful of only downloading software directly from the trusted source, and always check the domains hosting software downloads against domains belonging to the official website. People should also be wary of ads in search engine results, since that seems to be a major driver of infections of this nature, especially within the last year.