Summary:
- ZenRAT malware has been discovered, which is being spread through fake Bitwarden installation packages.
- The malware primarily targets Windows users and redirects non-Windows users to benign web pages.
- The method of distribution is unknown, but it could include SEO Poisoning, adware bundles, or email.
- ZenRAT is a modular Remote Access Trojan with information-stealing capabilities.
- The malware is disguised within a standard Bitwarden installation package.
- The malicious website redirects non-Windows users to a cloned opensource.com article.
- Windows users attempting to download Bitwarden for Linux or MacOS are redirected to the genuine Bitwarden site.
- The malicious installer is hosted on the domain crazygameis[.]com and claims to be "Speccy" with an invalid digital signature.
- ZenRAT gathers various system information and sends it to its command and control server.
- The C2 protocol used by ZenRAT involves client-side and server-side communication.
- The malware exhibits various command IDs, including "Send Logs" and "Send Module Results."
- ZenRAT is modular and extensible, but other modules have not been observed in the wild.
Hashtags: #ZenRAT #malware #Bitwarden #Windows #cybersecurity