Cybersecurity researchers from Proofpoint have recently discovered a new piece of malware that impersonates Bitwarden in an attempt to steal sensitive information from the victim’s endpoint.
After being tipped off by Senior Director of Threat Intelligence at Malwarebytes, Jérôme Segura, the researchers discovered that the malware, dubbed ZenRAT, was masquerading as a fake version of the popular password manager.
The threat actors bought the domain "bitwariden[.]com" - a misspelled but deliberately similar domain to the legitimate site, in an technique known as a typosquatting - and built a website seemingly identical to Bitwarden's.
Protecting your business from the biggest threats online
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.
Preferred partner (What does this mean?)
Stealing data stored in the browser
It is unknown how the attackers promoted the website, but the researchers suspect either SEO poisoning, malvertising, or social engineering as the most likely vectors.
Whatever the case may be, when a victim visits the website with a Mac or Linux device, and click the corresponding download link, nothing malicious will happen. They will simply be redirected to a completely different, benign page. Windows users, though, will become infected with ZenRAT.
After establishing a connection with its command & control server (C2), the malware will do a number of things, including gathering system information and stealing passwords.
By using WMI queries, ZenRAT will try to learn the victim’s CPU name, GPU name, OS version, installed RAM, IP address and gateway, as well as any installed antivirus and other applications, Furthermore, it will steal all browser data, including any credentials stored there.
While Proofpoint urges consumers to be careful when downloading software, and make sure they’re only getting it from trusted sources, the problem is that consumers can easily be tricked.
With malvertising, it’s possible that a fake ad for Bitwarden ended up on Google - usually a trusted source. An untrained eye can easily miss the extra “i” in the URL, and with the website being almost identical to the legitimate one, the campaign can be quite successful.
It is not known exactly how many people so far have downloaded the malware and lost their passwords and other sensitive data in the process.
More from TechRadar Pro
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.