Rewterz Threat Alert – New ZenRAT Malware Delivered Through Fake Bitwarden Websites – Active IOCs

Severity

High

Analysis Summary

Some fraudulent Bitwarden websites are allegedly delivering installers for the open-source password manager which carries a new malware used for stealing passwords called ZenRAT. This malware is pushed out to Windows users using malicious websites that pretend to look like the legitimate Bitwarden website. It relies on typosqautting to trick the users.

ZenRAT is used to collect credentials and browser data, as well as information related to the compromised device. These details are used to create a fingerprint of the targeted system, which is later used to access an account after the legitimate user logged in.

The malware was discovered in August after researchers received a sample of it. The distribution point looks very convincing and alike to the real Bitwarden website, with a domain name that tricks users into thinking they’re visiting the real website.

The fake Bitwarden installation package includes a malicious .NET executable file which is the remote access trojan ZenRAT with capability for stealing information. The website only targets Windows users, and when trying to visit it with Linux or Mac, it redirects the user to the official page instead. The malicious installer for Bitwarden is received from another fake URL that imitates the legitimate browser-based gaming website called CrazyGames.

The type of information ZenRAT collects about the victim host includes CPU and GPU names, OS version, IP address and gateway, and installed RAM, antivirus and applications. These details are forwarded to the C2 server within a ZIP file, as well as stolen data and credentials.

The malware is also able to check if it is being run in a virtual machine or sandbox. The researchers have discovered that the malware is made to be modular with its capabilities being able to expand, but it is yet to be seen in the wild.

“Malware is often delivered via files that masquerade as legitimate application installers. End users should be mindful of only downloading software directly from the trusted source, and always check the domains hosting software downloads against domains belonging to the official website. People should also be wary of ads in search engine results, since that seems to be a major driver of infections of this nature, especially within the last year”, they conclude.

Impact

• Sensitive Data Theft
• Credential Theft

Indicators of Compromise

Domain Name

• bitwariden.com
• crazygameis.com
• obsploject.com
• geogebraa.com

IP

• 185.186.72.14
• 185.156.72.8

MD5

• 6f809b1c82d9fb6cd277c6b645ecaf84
• 2c7975481a66c7709b9f86455b5f2170
• 19c8c8348810515b19946b3e17fd265f
• e720076651b9743a695969cf2b187eb9
• 7b8281b00aa756d92f83c865921413d1
• 689e40f5805fed0924ea12ee20a178cd
• 2421c4cd791b1eb1218bb07e2f734b9c
• c9972ce41e4b27d88b66b39d520eb254

SHA-256

• e0c067fc8e10a662c42926f6cdadfa5c6b8c90d5dff3f0e9f381210180d47d37
• d7d59f7db946c7e77fed4b927b48ab015e5f3ea8e858d330930e9f7ac1276536
• 8378c6faf198f4182c55f85c494052a5288a6d7823de89914986b2352076bb12
• f7573ad27ff407e84d3ebf173cbeaaa6aba62eb74b4b2b934bc0433df3d9e066
• e318b2c1693bc771dfe9a66ee2cebcc2b426b01547bb0164d09d025467cb9ee3
• 60098db9f251bca8d40bf6b19e3defa1b81ff3bdc13876766988429a2e922a06
• ba36d9d6e537a1c1ecdf1ace9f170a3a13c19e77f582a5cae5c928a341c1be8d
• 986aa8e20962b28971b3a5335ef46cf96c102fa828ae7486c2ac2137a0690b76

SHA-1

• 1925f68c9815bc68828526057aae0680d64ed2d9
• c581a5be310c04d07d6f58a9d9facb314ed7c47e
• 3a5801a8e9424c24d80d33841e8c92b992d331f8
• 37e24b441aa7553a1e92b8edf2a2390830ba7d2f
• fb3ba8efdf48654e947c0a21b8290262f7d1b248
• eb638e3786e79fc000986fe7fb4fc3b88ac50eca
• 491a0494d9e6538f24b09ab7bd2b419a5e8eb01b
• 4805037977fb45f7ff98e96eed51422c813470ee

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets.
• Be cautious when accessing websites and double-check the URLs to ensure they are correct. Avoid visiting websites with domain names that closely resemble legitimate sites, as typosquatting is a common tactic used by attackers.
• Only download software, including password managers, from official and trusted sources. Avoid third-party websites and always verify the authenticity of the download.
• Ensure that all software, including your operating system and security software, is kept up to date with the latest security patches and updates. This helps protect against known vulnerabilities.
• Train users to be cautious when clicking on links or downloading files from untrusted sources.
• Employ web filtering solutions that can block access to known malicious websites. This can help prevent users from inadvertently visiting fake or compromised sites.
• Continuously monitor inbound and outbound network traffic for suspicious activities, especially unauthorized access attempts. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) can be valuable in this regard.
• Restrict access to critical systems and sensitive data to only authorized personnel. Use strong authentication methods like multi-factor authentication (MFA) to enhance security.
• Scrutinize system and network logs for anomalies, unexpected reboots, or configuration changes. Set up alerts for suspicious activities.
• Uninstall or disable unnecessary software and services on systems to reduce the attack surface.
• Utilize network-based security solutions that can detect and block known malware communication patterns.