Malware, Phishing, Identity

Fake Bitwarden site distributes novel RAT malware

Trojan malware

Threat actors used a fake download page for popular password manager Bitwarden to distribute a previously unknown remote access trojan (RAT).

The ruse has prompted a fresh warning from researchers about the importance of ensuring software is only downloaded from authentic sites.

Malwarebytes senior director of threat intelligence Jérôme Segura discovered the .NET executable malware packaged with a standard Bitwarden installation package at bitwariden[.]com — a “very convincing lookalike” of the authentic website.

Segura shared the malware sample with Proofpoint researchers who analyzed it further, named it ZenRAT, and published their findings in a Sept. 26 blog post.

The unknown threat group responsible for ZenRAT only targeted Windows users. If users of other operating systems navigated to the fake Bitwarden site, they were redirected to another fake but innocuous page: a clone of an blog post about managing passwords with Bitwarden.

The malicious bitwariden[.]com site appeared to no longer host the threat group’s fake content.

Hackers impersonate a software developer

Proofpoint said ZenRAT was a modular RAT with information stealing capabilities.

When executed, it used Windows Management Instrumentation (WMI) queries and other system tools to gather information about the target machine including its IP address and gateway, installed antivirus and other applications.

“ZenRAT was observed sending this information back to its command and control (C2) server along with stolen browser data/credentials in a zip file called with the filenames InstalledApps.txt, and SysInfo.txt,” the researchers said.

A curious feature of the malware was that the invalid digital signature associated with the ZenRAT installer claimed it was signed by Tim Kosse, a well known open-source developer who authored the popular cross-platform FTP software FileZilla.

Scammers benefit from search engine wars

In the post, the researchers said they did not know how victims were lured to the fake Bitwarden website, but pointed out threat actors had historically used SEO poisoning, adware bundles and phishing emails to deceive victims into visiting malicious software download sites.

“Malware is often delivered via files that masquerade as legitimate application installers,” they said.

“End users should be mindful of only downloading software directly from the trusted source, and always check the domains hosting software downloads against domains belonging to the official website.”

Earlier this year researchers reported a spike in SEO poisoning, a form of malicious advertising (malvertising) where threat groups post ads with bogus URLs on search engine advertising platforms.

In January, ads placed by scammers directed Google search users to malicious URLs purporting to be Bitwarden login pages.

Tanium senior director of technical account management Shawn Surber said if fake pages were well constructed to look like an authentic website, searchers were unlikely to notice they had been directed to an incorrect URL.

“As search engines like Bing and Google renew the battle for supremacy, they fall prey to the same issues that any company does when they're rushing to market and prioritizing speed over security. They've started emphasizing the matching content of web search results over the actual link itself,” he said.

“That means that you can search for a very specific item, like a specific password manager, and all of the initial links look like they're going to take you to that product’s page. But in reality, they’re marketing pages, reseller pages, review pages, and potentially malware distributing pages.”

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.