Cybersecurity researchers from Proofpoint have recently discovered a new piece of malware that impersonates Bitwarden in an attempt to steal sensitive information from the victim’s endpoint.
After being tipped off by Senior Director of Threat Intelligence at Malwarebytes, Jérôme Segura, the researchers discovered that the malware, dubbed ZenRAT, was masquerading as a fake version of the popular password manager.
The threat actors bought the domain "bitwariden[.]com" - a misspelled but deliberately similar domain to the legitimate site, in an technique known as a typosquatting - and built a website seemingly identical to Bitwarden's.
Stealing data stored in the browser
It is unknown how the attackers promoted the website, but the researchers suspect either SEO poisoning, malvertising, or social engineering as the most likely vectors.
Whatever the case may be, when a victim visits the website with a Mac or Linux device, and click the corresponding download link, nothing malicious will happen. They will simply be redirected to a completely different, benign page. Windows users, though, will become infected with ZenRAT.
After establishing a connection with its command & control server (C2), the malware will do a number of things, including gathering system information and stealing passwords.
By using WMI queries, ZenRAT will try to learn the victim’s CPU name, GPU name, OS version, installed RAM, IP address and gateway, as well as any installed antivirus and other applications, Furthermore, it will steal all browser data, including any credentials stored there.
While Proofpoint urges consumers to be careful when downloading software, and make sure they’re only getting it from trusted sources, the problem is that consumers can easily be tricked.
With malvertising, it’s possible that a fake ad for Bitwarden ended up on Google - usually a trusted source. An untrained eye can easily miss the extra “i” in the URL, and with the website being almost identical to the legitimate one, the campaign can be quite successful.
It is not known exactly how many people so far have downloaded the malware and lost their passwords and other sensitive data in the process.