Password-stealing malware ZenRAT is impersonating popular password manager Bitwarden and coaxing unsuspecting victims into downloading it in the process, a cybersecurity research team has found.
Windows users are the targets this time – users who try to download the software for other types of devices are redirected to a benign clone of an article about Bitwarden pulled from a tech website.
Worryingly, the malware appears to have been active since at least July.
Password Stealer Poses as Bitwarden
The Proofpoint threat research team published an investigation this week detailing how password-stealing malware ZenRAT is masquerading as password management service Bitwarden, which is used by hundreds of thousands of people worldwide.
Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes, first shared a sample of this malware at the beginning of August. It was extracted from a malicious installation package downloaded from a landing page hosted on the domain “Bitwariden[.]com”.
The same malware installer had already been reported to VirusTotal back in July but was tracked under a different name.
How Does The Malware Infect Computers?
At the time of Proofpoint's investigation, when users clicked “download” when navigating the landing page, a request was sent to crazygamesis[.]com which was the site hosting the malware at the time of the investigation – but this no longer appears to be the host, the research team say.
An inspection of the installation's details found it was smuggling itself onto devices under the product name “Speccy”, a non-malicious software application.
🔎 Want to browse the web privately? 🌎 Or appear as if you're in another country?
Get a huge 86% off Surfshark with this Tech.co Black Friday offer.
The “RAT” in ZenRAT stands for “Remote Access Trojan”, which allows threat actors to send commands to and receive data from infected devices. This means it can be used to steal information from devices that download it, including passwords.
Proofpoint say the malware gathered information about the target computer's CPU Name, GPU Name, OS Version, RAM, IP address, and gateway, as well as antivirus programs and other applications the user had installed. It's not clear, however, how traffic is being directed to the fake Bitwarden domain in the first place.
Windows Users Singled Out
The campaign targets Windows users specifically – those using other operating systems are redirected to a clone of an article on opensource.com entitled “How to manage your passwords with Bitwarden, a LastPass alternative”.
Interestingly, back on the fake Bitwarden downloads page, users who select the Mac or Linux download option will be directed to the legitimate Bitwarden password manager site.
Whether or not you’re using Windows or not, if you’re downloading something from a page, you have to make sure it’s secure first. Always check the URL to see if you’ve made a mistake – hackers deliberately buy domains with URLs that are very similar to, but aren’t exactly the same, as well-known legitimate websites – they’re counting on the fact you won’t be paying close enough attention to realize.