A Novel Info-Stealing Malware Targets Bitwarden Password Manager Users
Introduction
A new strain of info-stealing malware, dubbed ZenRAT, is specifically targeting Windows users through fake installation packages of the popular open-source password manager Bitwarden. The attack involves a fake website that distributes the malware-laden packages. The discovery was made by researcher Jérôme Segura of Malwarebytes, who shared a sample of the malware with researchers at Proofpoint. The researchers detailed their findings in a blog post, highlighting the elaborate nature of the scheme and the lengths taken to ensure that the malware targets only Windows users.
The Elaborate Scheme
The malicious packages are distributed through a fake website, bitwariden[.]com, which closely resembles the legitimate Bitwarden website. Non-Windows users attempting to access the domain are redirected to a cloned article about the password manager, while Windows users clicking on download links for Linux or MacOS are redirected to the legitimate Bitwarden site, vault.bitwarden.com.
The researchers reported that it is still unclear how users reach the fake Bitwarden site initially, but they speculated that historic activities such as fake software installers may have been delivered through SEO poisoning, adware bundles, or email campaigns.
Malware Functionality
Once a Windows user clicks to install the fake package, a .NET executable named ZenRAT is downloaded. The malware includes modules that perform Remote Access Trojan (RAT) functions, such as system-fingerprinting, collecting installed-applications data, and stealing passwords and other information from browsers. This stolen information is then sent back to the attackers via a command-and-control server.
After infecting a system, the malware copies itself to a temporary directory and creates a hidden file that initiates a self-deletion loop for both itself and the installer file. The malware also places an executable file in a separate directory and runs it, effectively launching ZenRAT. Interestingly, the malware claims to be a different application in its file properties, possibly as an evasion mechanism.
Targeting Password Managers
This is not the first time that threat actors have targeted password managers like Bitwarden for malicious activities. In the past, campaigns have utilized paid ads to redirect users to credential-stealing phishing sites in response to searches for Bitwarden and other password management technologies. LastPass, one of the largest players in the password manager space, has also been breached in previous attacks.
Advice for Users
Given that malware is often delivered through files masquerading as legitimate application installers, it is crucial for end users to only download software directly from trusted sources. Users should verify the domains hosting software downloads against the official website to ensure the install package is legitimate and not hosted by a malicious site.
Additionally, users should be cautious of ads in search engine results, as they have been a major driver of infections in recent years. Vigilance is essential in safeguarding against cybersecurity threats, and users should prioritize their online security by following best practices and adopting a proactive approach in identifying and mitigating potential risks.
Conclusion
The discovery of the ZenRAT malware targeting Bitwarden users highlights the continuous efforts by threat actors to exploit software vulnerabilities and user trust. As technology advances, so do the tactics employed by cybercriminals. It is imperative for users to remain vigilant, ensure software downloads from trusted sources, and stay informed about evolving cybersecurity threats.
<< photo by Roman Synkevych >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Navigating the Reality of AI/ML in Cybersecurity: Moving Beyond the Hype Cycle
- Navigating the Legal Maze: Unveiling 4 Unexpected Aftermaths of a Cybersecurity Breach
- The Legal Fallout of a Cybersecurity Incident: 4 Surprising Developments
- The GitHub Security Breach: Unmasking Password-Stealing Commits Masquerading as Dependabot Contributions
- “Unmasking the Ever-Evolving Threat: Uncovering the Alarming Surge of 7.9 Million DDoS Attacks in 2023”
- The Alarming Exposure: Millions of Files Unveiling Potentially Sensitive Information
- Exploring the Implementation of Passkeys in Windows 11
- Enhancing Security: Kaspersky Password Manager Introduces 2FA One-Time Password Storage and Expanded Browser Support
- The Stealthy Threat: Analyzing the Widespread Attack on Password Managers and Crypto Wallets
- “Proton’s Open Source Password Manager: A Game-Changer in Data Security”
- Identifying the Real from the Fake: Verisoul Secures $3.25 Million in Seed Funding to Combat User Deception
- Ramping up Cyber Infiltration: China’s BlackTech Group Strikes U.S. and Japanese Businesses
- Critical Vulnerabilities Plague Atlassian and ISC BIND Server: Assessing the Impacts
- The Profitable Pursuit: Russian Zero-Day Hunter Bids $20 Million for Android, iOS Exploits
- The Silent Invasion: China’s Budworms All Over the Map
- Invasive Budworm Attacks Middle Eastern Telco and Asian Government Agencies, Amplifying China’s Digital Influence
- Putting Data Security in Focus: Results from a Comprehensive Survey Expose Companies’ Strategies and Approaches
- Data at Risk: Unveiling the Menace of GPU Side-Channel Attacks
- The Long-Term Implications of Smart Meter Privacy Choices
