Windows Users Targeted by ZenRAT Malware Disguised as Fake Password Manager Software

A new malware called ZenRAT is being spread through fake Bitwarden password manager installers. It targets Windows users, redirecting them to harmless web pages. ZenRAT is a modular remote access trojan with data-stealing capabilities. The malware is hosted on bogus Bitwarden websites, and it is unclear how traffic is being directed to these domains.

Similar malware has spread in the past through phishing, malvertising, and SEO poisoning attacks. The payload, named Bitwarden-Installer-version-2023-7-1.exe, is a modified version of the legitimate Bitwarden installer, containing a malicious .NET executable called ApplicationRuntimeMonitor.exe. Stay vigilant and only download software from official sources.

In a recent campaign, users who visit a deceptive website from non-Windows systems are redirected to an article about password management with Bitwarden. Meanwhile, Windows users clicking on Linux or macOS download links are directed to the legitimate Bitwarden site. The malicious software disguises itself as Piriform’s Speccy, using an invalid digital signature claiming to be signed by Tim Kosse.

The malware, known as ZenRAT, collects various information from the infected host and transmits it to a command-and-control server operated by the threat actors. Despite variations in the data transmitted, the first packet always consists of 73 bytes. Be cautious of these deceptive tactics and ensure your system security.

ZenRAT is a dangerous malware that can infiltrate systems and steal sensitive information. This malware is modular and extendable, allowing it to carry out various malicious activities. To protect yourself, make sure to download software only from trusted sources and ensure the authenticity of websites. Another information stealer, Lumma Stealer, has been observed targeting manufacturing, retail, and business industries since August 2023.

This infostealer disguises itself as fake installers like Chrome and Edge browser installers. Additionally, rogue websites impersonating Google Business Profile and Google Sheets trick users into installing malware called Stealc under the pretext of a security update. Drive-by downloads remain a significant method for spreading malware, including information stealers and loaders. Stay vigilant and implement effective cybersecurity measures to counter these threats.

source: thehackernews

Related posts

Google launches Gemini 2.0 – comprehensive AI that can replace humans

NVIDIA RTX 5090 can be 70% more powerful than RTX 4090?

iOS 18.2 launched with a series of groundbreaking AI features