- According to Proofpoint researchers, ZenRAT was initially discovered on a website pretending to be associated with the open-source password manager Bitwarden.
- If non-Windows users visited the bogus website, they were redirected to a cloned opensource[.]com article published in March 2018.
- The website lured users with a fake Bitwarden installer when accessed from Windows systems.
- However, if Windows users clicked on download links for Linux or macOS, they were redirected to the legitimate Bitwarden website.
More details about ZenRAT
- ZenRAT is a modular RAT with information-stealing capabilities.
- Upon execution, it uses WMI queries and other system tools to gather system information, such as CPU name, GPU name, OS version, installed RAM, IP address, and installed antivirus and applications, from infected systems.
- The stolen information, including browser data and credentials, is sent back to the C2 server in a zip file called Data.zip.
Information stealers continue to run rampant
While ZenRAT is new, there have been multiple instances of the use of information-stealing malware families in different campaigns recently.
- A new ValleyRAT malware was deployed alongside Sainbox RAT and Purple Fox malware in an attempt to steal sensitive information from Chinese-speaking users.
- A new Golang-based MetaStealer also appeared in the wild, targeting macOS systems. The malware was spotted a few days after the discovery of Atomic Stealer which masqueraded as a fake TradingView app to target macOS users.
Researchers highlight that people should be wary of ads in search engine results as they remain a major driver of malware infection. Moreover, as the new ZenRAT malware leverages application installers as a channel for propagation, users should be mindful while downloading software from untrusted sources. Additionally, they should verify the legitimacy of domains hosting the software.