How this malware hides in Bitwarden and escapes antivirus software to steal your information
ZenRAT is a new malicious software that targets Windows users and hides in fake installation packages of Bitwarden, a popular and secure password manager. This remote access trojan (RAT) was discovered by Proofpoint, a company specialized in cybersecurity. ZenRAT aims to steal sensitive information from users, such as their credentials, passwords, IP addresses or browser data.
How does ZenRAT hide in Bitwarden?
ZenRAT uses a social engineering technique to trick users and make them download a fake installation package of Bitwarden. The malicious website that hosts the file looks very similar to the official Bitwarden website, but it uses a different domain name. The downloaded file contains an executable named ZenRAT, which installs discreetly on the victim’s computer and starts collecting and sending their personal information to a command and control server.
ZenRAT hides in Bitwarden to take advantage of its popularity and credibility, as it is used by millions of users worldwide. By imitating the website and logo of Bitwarden, ZenRAT hopes to attract users who are looking for downloading or updating this software, and to convince them that they are on the official website. Thus, ZenRAT can induce users to install the malicious file without suspicion.
This identity theft technique is commonly used by cybercriminals to spread malware under the guise of legitimate applications. Users should therefore be careful to only download software from a reliable source, and to check the domain name of the website. They should also be wary of advertisements in search engine results, which can be a major vector of infection.
What are the technical means used by ZenRAT to achieve its goals and protect itself?
ZenRAT uses several technical means to achieve its goals and protect itself from protection systems. Among these means, we can mention:
- Encryption: It encrypts the data it steals and sends to the command and control server, using an AES algorithm with a randomly generated key. Thus, ZenRAT makes it harder to detect and analyze its network traffic by antivirus or firewall software.
- Polymorphism: ZenRAT changes its appearance and behavior regularly, using techniques such as packing, obfuscation or mutation. Thus, ZenRAT escapes the static signatures of antivirus or intrusion detection software.
- Geofencing: It checks the geographical location of the infected computer, using the IP address or browser data. If the computer is located in an area that does not interest the hacker, such as Russia or China, ZenRAT stops and uninstalls itself. Thus, ZenRAT reduces the risk of being discovered or analyzed by security researchers.
- Anti-virtualization: ZenRAT detects if the infected computer is a virtual machine or a sandbox, using indicators such as the name of the CPU, GPU, RAM or hard disk. If so, ZenRAT stops and uninstalls itself. Thus, ZenRAT avoids being studied or neutralized by security experts.
- QR codes: Malware Rat uses QR codes to communicate with its command and control server, using a dedicated mobile application. Thus, ZenRAT bypasses network filters or proxies that could block its traffic. The QR codes contain encrypted and compressed data, which are decoded and executed by the malware on the infected computer.
- Password generator: ZenRAT uses a password generator to create random and strong passwords, which it uses to access online accounts of users. Thus, ZenRAT increases its chances of succeeding in brute force or dictionary attacks, and makes it more difficult for users to change or reset their passwords.
These technical means show that ZenRAT is a sophisticated and adaptable malware, which can circumvent or resist various forms of defense. They also testify to the malicious intent of the hacker, who seeks to maximize his impact and minimize his traceability.
Why is RAT a serious threat?
ZenRAT is a serious threat for the security and privacy of Internet users, because it steals personal and confidential information, which can be used to access sensitive services, identify and track users, analyze their habits and preferences, or inject malicious advertisements or spyware. It uses various technical means to spread and hide itself, and it escapes antivirus and security software.
ZenRAT has not yet been widely studied or detected by antivirus or security software. According to Proofpoint, the detection rate of the malicious file on VirusTotal was less than 10% at the time of their analysis. Other sources confirm that ZenRAT is a little-known and rare malware. It is therefore important to be vigilant and only download software from a reliable source, checking the domain name of the website.
ZenRAT is also a malware that specifically targets Windows users, who represent the majority of operating systems in the world. According to StatCounter, Windows had a market share of 72% in September 2023. This means that ZenRAT can potentially infect more than a billion Windows computers worldwide. Moreover, ZenRAT attacks Bitwarden users, a password manager that has more than 25 million users worldwide. By stealing their passwords, ZenRAT can access their online accounts and compromise their security.
Here is a summary table of the main characteristics of ZenRAT:
|Type||Remote Access Trojan (RAT)|
|Infection Method||Fake Bitwarden installation packages|
|Objective||Steal sensitive user information|
|Technical Means||Encryption, polymorphism, geofencing, anti-virtualization, QR codes, password generator|
|Detection Rate||Below 10% on VirusTotal|
|Associated Threats||Typosquatting, phishing, credential theft|
|Targeted Service||Bitwarden password manager|
|Date of Discovery||August 2023|
|Malicious Email Campaigns||Several, targeting organizations across various sectors|
|Associated Malicious Domains||bitwariden[.]com, crazygameis[.]com, obsproject[.]com, geogebraa[.]com|
|Dedicated Mobile Application||ZenRAT Scanner|
|Fake Installers||Bitwarden-Installer-version-2023-7-1.exe, CertificateUpdate-version1-102-90|
|Signed by||Falsely claimed to be signed by Tim Kosse|
|Copy of Executable Location||ApplicationRuntimeMonitor.exe stored in C:Users[username]AppDataRoamingRuntime Monitor|
|Collected Data||CPU Name, GPU Name, OS Version, Installed RAM, IP Address & Gateway, Installed Antivirus, Installed Applications|
|C2 Communication||Server IP: 185[.]186.72.14. Custom C2 protocol used|
|Unique Features||Checks: IsBlockedRegion, IsMutex, IsSmallDisk, IsDetectVM. Logs sent in plain text to C2 server|
|Indicators of Compromise||Several IP addresses and domains, as well as a list of SHA256 for associated files|
ZenRAT is therefore a malicious software that attacks strategically Windows operating systems, hiding in fake installation packages of Bitwarden. It uses various technical means to spread and hide itself, and aims to steal sensitive information from users. It represents a serious threat for the security and privacy of Internet users.