Proofpoint, dedicated to cybersecurity and regulatory compliance, has identified a new malware called ZenRAT that spreads through fake Bitwarden password manager installation packages designed for Windows. ZenRAT, a modular Remote Access Trojan (RAT), has the ability to obtain private information.
Interface changes and visual tricks
The initial detection of this malware occurred on a website pretending to be an official password manager download source. The standard installation package downloaded from this site includes a malicious .NET executable that installs ZenRAT. It is important to note that this website only displays the fake Bitwarden download if the user is accessing from a Windows host.
Users with operating systems other than Windows accessing this domain are greeted with a different page. This page pretends to be “opensource.com”, even cloning an article about Bitwarden written by Scott Nesbitt and actually published on the legitimate site. When Windows users click on the download links for Linux or MacOS, they are redirected to the real Bitwarden site (vault.bitwarden.com). Pressing the download button or the desktop installer for Windows will attempt to download the payload (Bitwarden-Installer-version-2023-7-1.exe).
Proofpoint’s research team says:
It is common for malicious programs to be distributed through files that pose as legitimate application installers. Currently, we do not know how this specific malware is distributed, but it is usually delivered via SEO Poisoning, adware packages, or via email.
Recommendations for Online Safety
Proofpoint advises end users to download software exclusively from trusted sources and always verify that the domains hosting the downloads belong to the official website. Likewise, it is necessary to be careful with ads in search engine results, because this is one of the main causes of infections of this type, especially in the last year.
This warning is intended to inform users about the emerging threat of ZenRAT and to promote good online security practices. Staying informed and taking appropriate precautions is essential in today’s digital environment.