Security researchers from Proofpoint have identified a new malware strain named ZenRAT, which is being disseminated via counterfeit installation packages posing as the Bitwarden password manager.
malware is specifically tailored to target Windows users, while redirecting non-Windows users to benign webpages to evade detection. The method of distribution remains unclear, but historical patterns suggest it may involve tactics like SEO poisoning, adware bundles, or email-based attacks.
ZenRAT, categorized as a modular remote access trojan (RAT), possesses the ability to steal information, amplifying concerns about cybersecurity in the current digital landscape. What makes ZenRAT particularly malicious is its distribution strategy, which selectively offers the fake Bitwarden download only to Windows users accessing the compromised website. Non-Windows users are seamlessly redirected to a legitimate “opensource.com” site, meticulously mimicking an article about Bitwarden.
To further maintain its cover, ZenRAT reroutes Windows users who click on Linux or MacOS download links to the actual Bitwarden site. The malware authors have taken extra precautions by attempting to obscure the payload’s hosting domain, making it challenging to trace its origin.
ZenRAT, masquerading as “ApplicationRuntimeMonitor.exe” in its filename, not only deceives through its distribution but also in its metadata, claiming to be an entirely different application.
Once executed, it deploys WMI queries and system tools to gather extensive host information, including hardware specifications, IP addresses, software inventory, and antivirus details. This stolen data, along with pilfered browser data and credentials, is transmitted back to the malware’s command and control server, enclosed in a zip file named Data.zip.
