The new malware ZenRAT, a remote access Trojan, disguises itself as an installation package for the password manager Bitwarden and targets Windows users.
Proofpoint often receives tips from the security community that lead to the investigation and detection of new malware. On August 10, 2023, Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes, shared a malware sample as part of a Windows software installation package.
Spread of ZenRAT still unclear
🔎Figure 1: Fake Bitwarden website, bitwariden[.]com. With a striking similarity to the real website bitwarden.com. It is currently unclear how cybercriminals route traffic to this domain (Image: Proofpoint)
How the cybercriminals behind ZenRAT spread the malware is currently unclear. In the past, malware disguised as a fake software installer was distributed via SEO poisoning, adware bundles, or via email.
Fake Bitware Website.png
Targeting Windows users exclusively
The malicious website only displays the fake Bitwarden download when a user accesses it from a Windows host. If a non-Windows user visits the domain, a completely different page is displayed.
🔎When a non-Windows user tries to visit the malicious website, they will be redirected to a cloned opensource.com article instead. This screenshot was created with Mozilla Firefox on Ubuntu 22.04 (Image: Proofpoint)
The website instead masquerades as the legitimate “opensource.com” website and even goes so far as to clone an Opensource.com article by Scott Nesbitt about the Bitwarden password manager. When Windows users click on download links marked for Linux or MacOS on the download page, they are instead redirected to the legitimate Bitwarden website vault.bitwarden.com.
When they click the Download button or the Desktop Installer for Windows button, it attempts to download the Bitwarden-Installer-version-2023-7-1.exe file. This payload is or was hosted on the domain crazygameis[.]com. However, at the time of publishing the Proofpoint blog, it was apparently no longer hosting the payload.
Go directly to the report at Proofpoint.com
About Proofpoint Proofpoint, Inc. is a leading cybersecurity company. The focus for Proofpoint is the protection of employees. Because these mean the greatest capital for a company, but also the greatest risk. With an integrated suite of cloud-based cybersecurity solutions, Proofpoint helps organizations around the world stop targeted threats, protect their data, and educate enterprise IT users about the risks of cyberattacks.