Researchers have come across a new Trojan program dubbed ZenRAT that is being distributed as an installer for the popular Bitwarden password management application, as well as employing other tricks to deceive users. The Trojan has information-stealing capabilities and hasn't been documented before.\n\n\u201cMalware is often delivered via files that masquerade as legitimate application installers,\u201d researchers from security firm Proofpoint said in a report. \u201cEnd users should be mindful of only downloading software directly from the trusted source, and always check the domains hosting software downloads against domains belonging to the official website.\u201d\n\nZenRAT is distributed from webpages that mimic the site bitwarden.com, the home for the Bitwarden open-source password manager. The page is only shown to visitors with Windows computers, those with Linux being directed to an article about Bitwarden cloned from a media site.\n\nWhile it's not clear how users are directed to the rogue Bitwarden page, researchers point out that fake installers have been distributed in the past through SEO poisoning, a technique that involves hijacking search results for various terms by artificially inflating the page rank of hacked websites to appear higher in results. Other techniques involve email and social media spam.\n\nZenRAT installer shows weirdness\n\nThe executable file offered to Windows users for download is called Bitwarden-Installer-version-2023-7-1.exe and it has been uploaded to the VirusTotal database before with the name CertificateUpdate-version1-102-90, suggesting this is not the first time the attackers have distributed ZenRAT as a fake application.\n\nThis might also explain several weird aspects of the installer. The metadata information displayed by Windows claims the installer is Piriform\u2019s Speccy, a software application for gathering system specifications, not Bitwarden. It's very likely the attackers simply copied the installer metadata from their previous variant or are mimicking multiple applications.\n\nFurthermore, the file's digital signature \u2014 which is broken and invalid \u2014 claims to be that of the developer of the open-source Filezilla FTP\/SFTP software.\n\nWhen executed, the installer drops an executable called ApplicationRuntimeMonitor.exe into C:\\Users\\[username]\\AppData\\Roaming\\Runtime Monitor\\ and runs it. This file's metadata again claims to be something else, an application created by Monitoring Legacy World Ltd.\n\nUpon execution, ZenRAT collects system information and sends it to the command-and-control (C2) server. This includes the CPU and GPU names, the OS version, the amount of RAM, IP address and gateway address, the installed antivirus program, and a list of installed applications. In addition, it also captures credentials saved inside browsers and sends them to the C2 server as well.\n\nThe malware is a modular RAT\n\nThe communication between the RAT and the C2 includes commands that involve the execution and update of modules. These are components that enable various functionalities which attackers can deliver to victims if they so choose after analyzing the initially captured information.\n\n\u201cThe existence of the Task and Module ID fields implies that ZenRAT is designed to be a modular, extendable implant,\u201d the researchers said. \u201cAt this time, we have not observed other modules being used in the wild.\u201d\n\nAnother interesting command is one that asks the trojan to send back the logs about the tasks it executed and completed back to the server. This includes various checks performed on the system, including the result of attempts to detect if it was executed in a virtual machine which could indicate an automated malware scanner. Another check is for the language of the system, the malware not installing on systems with languages from former Soviet Union countries. This is a common check that malware authors from Russia and the CIS countries perform on systems, supposedly to avoid becoming a focus of local law enforcement in their own countries.