Proofpoint details ZenRAT, a modular Windows RAT distributed through fake Bitwarden installation packages on bitwariden.com, featuring masquerading, anti-VM checks, and data exfiltration. It gathers host information and browser data, then sends it to a C2 via a bespoke protocol with AES-256-CBC encryption. #ZenRAT #Bitwarden #Speccy #TimKosse #Proofpoint
Keypoints
- ZenRAT is a modular remote access Trojan targeting Windows, delivered inside fake Bitwarden installers.
- The malicious site redirects non-Windows visitors and displays a Bitwarden download only to Windows hosts.
- The installer masquerades as Speccy, with questionable signatures and misleading metadata.
-
MITRE Techniques
- [T1036] Masquerading – The installer masquerades as Speccy and is claimed to be signed by Tim Kosse; digital signature is not valid. “the installer is claiming to be Piriform’s Speccy …” and “the installer has an invalid digital signature, and claims to have been signed by Tim Kosse”
- [T1082] System Information Discovery – Upon execution, it uses WMI queries and other system tools to gather information about the host: CPU Name, GPU Name, OS Version, Installed RAM, IP address and Gateway, Installed Antivirus, Installed Applications
- [T1055] Process Injection – It injects into PID 2680 (regasm.exe) with an argument shown in the data structure
- [T1555.001] Credentials in Web Browsers – ZenRAT collects browser data/credentials and exfiltrates in Data.zip (InstalledApps.txt, SysInfo.txt)
- [T1041] Exfiltration – Data.zip containing system info and browser data is sent to the C2; “ZenRAT was observed sending this information back to its C2 server along with stolen browser data/credentials in a zip file called Data.zip”
- [T1070] Indicator Removal on Host – The installer creates a hidden .cmd that launches a self-deletion loop for itself and the installer
- [T1497] Virtualization/Sandbox Evasion – Anti-VM checks (IsDetectVM) and related process checks
- [T1027] Obfuscated/Compressed Files and Information – Data is encrypted with AES-256-CBC for module data transfers; “The data transferred … is encrypted using AES-256-CBC, in chunks of 50000 bytes”
Indicators of Compromise
- [IP Address] 185.186.72.14:9890 – Observed ZenRAT C2 server
- [IP Address] 185.156.72.8:9890 – Observed nonresponsive ZenRAT C2 server
- [Domain] bitwariden[.]com – Bitwarden look-alike domain
- [Domain] crazygameis[.]com – Payload delivery domain
- [Domain] obsploject[.]com – OBS Project look-alike domain (recently registered, no longer responsive)
- [Domain] geogebraa[.]com – GeoGebra look-alike domain (recently registered, no longer responsive)
- [SHA256] e0c067fc8e10a662c42926f6cdadfa5c6b8c90d5dff3f0e9f381210180d47d37 – Bitwarden-Installer-version-2023-7-1.exe
- [SHA256] d7d59f7db946c7e77fed4b927b48ab015e5f3ea8e858d330930e9f7ac1276536 – ApplicationRuntimeMonitor.exe
- [SHA256] 8378c6faf198f4182c55f85c494052a5288a6d7823de89914986b2352076bb12 – Bitwarden-Installer-version-2023-7-1.exe
- [SHA256] f7573ad27ff407e84d3ebf173cbeaaa6aba62eb74b4b2b934bc0433df3d9e066 – SearchModule.exe
- [SHA256] e318b2c1693bc771dfe9a66ee2cebcc2b426b01547bb0164d09d025467cb9ee3 – CertificateUpdate.version2.10.12.exe
- [SHA256] 60098db9f251bca8d40bf6b19e3defa1b81ff3bdc13876766988429a2e922a06 – SystemSecurity.exe
- [SHA256] ba36d9d6e537a1c1ecdf1ace9f170a3a13c19e77f582a5cae5c928a341c1be8d – 2421c4cd791b1eexeexe.exe
- [SHA256] 986aa8e20962b28971b3a5335ef46cf96c102fa828ae7486c2ac2137a0690b76 – npp.8.4.8.Installer.exe
Read more: https://www.proofpoint.com/us/blog/threat-insight/zenrat-malware-brings-more-chaos-calm