ZenRAT Password Stealer Masquerades as Bitwarden Password Manager Installer

Password managers can greatly improve security and are one of the measures currently being promoted during Cybersecurity Awareness Month; however, care must be taken when installing password managers. Just like any software solution downloaded from the Internet, it is important to verify the authenticity of the website and installer. Cybercriminals may impersonate password manager providers to deliver malware.

Password managers are currently being promoted by the Cybersecurity and Infrastructure Security Agency (CISA) as part of its first public service awareness campaign (Secure Our World). CISA is encouraging everyone to improve password security by setting strong and unique passwords for all accounts and recommends using a password manager to generate and store passwords. Using a password manager is a no-brainer, especially since there are some excellent free password managers available. Take Bitwarden for example. Bitwarden is an open source password manager that has an excellent free tier, which makes it one of the best choices for individuals who do not have much spare cash.

Bitwarden downloads, however, may not be what they seem. A campaign has been detected that impersonates Bitwarden and, like the official download site, offers the password manager free of charge. A threat actor has created a website – bitwariden[.]com – that impersonates the official website, and includes realistic Bitwarden logos and text. If a non-Windows user attempts to download the installer, they will be redirected to the official Bitwarden site. If a Windows user clicks the download option, they will receive a file called Bitwarden-Installer-version-2023-7-1.exe.

The meta information for the file claims the installer is Piriform’s Speccy, a legitimate program for gathering systems specifications. The certificate is signed by Tim Kosse, a developer behind FileZilla FTP/SFTP software; however, the file signature is not valid. If the installer is executed, it will deliver ZenRAT malware. Once delivered, ZenRAT will gather system information, including the IP address and gateway IP address, and information about software installed on the device, including antivirus software programs. ZenRAT’s main function is to steal credentials, which are exfiltrated to its command-and-control server along with the gathered system information.

The campaign was detected by security researchers at Proofpoint. While the researchers analyzed the campaign, they were unable to determine how traffic was being sent to the fake Bitwarden website. Campaigns such as this often use Google Ads and other advertising networks to drive traffic to their download sites. It is also common for SEO poisoning to be used, where search engine optimization techniques are used to get malicious sites to appear high in the organic search engine listings for specific search terms. It is also possible that spam emails are being used to send links to the download site.

In this campaign, the domain is very similar to the official website for Bitwarden – Bitwarden.com – and the misspelling may not be noticed if visitors are not paying attention. This campaign demonstrates why it is so important to carefully check a domain before downloading any file to make sure the website is legitimate. It is also strongly recommended to install antivirus software, keep it up to date, scan any downloaded file before opening it, and check the file certificate carefully to make sure it matches the legitimate developer of the software.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news