Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
Carding News
Fake Bitwarden sites push new ZenRAT password-stealing malware
Message
<blockquote data-quote="Jakesu" data-source="post: 39" data-attributes="member: 7"><p>Fake Bitwarden sites are pushing installers purportedly for the open-source password manager that carry a new password-stealing malware that security researchers call ZenRAT.</p><p></p><p>The malware is distributed to Windows users through websites that imitate the legitimate Bitwarden site and rely on typosquatting to fool potential victims.</p><p></p><p><strong>Focused on Windows users</strong></p><p></p><p>The purpose of ZenRAT is to collect browser data and credentials along with details about the infected host, a behavior consistent with an information stealer.</p><p></p><p>Cybercriminals can use the details to create a fingerprint of the compromised system that can be used to access an account as if the legitimate user logged in.</p><p></p><p>Security researchers at cybersecurity company Proofpoint discovered ZenRAT after receiving in August a sample of the malware from Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes.</p><p></p><p>The distribution point was “a very convincing lookalike to the real bitwarden.com” with a domain name specifically selected to trick visitors into believing they were accessing the official resource - bitwariden[.]com.</p><p></p><p><a href="https://www.bleepstatic.com/images/news/u/1100723/ZenRAT_fake-site.png" target="_blank"><img src="https://www.bleepstatic.com/images/news/u/1100723/ZenRAT_fake-site.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></a></p><table style='width: 100%'><tr><td>Fake Bitwarden site delivering ZenRAT</td></tr></table><p>Inside the fake Bitwarden installation package, Proofpoint researchers found a malicious .NET executable that is a remote access trojan (RAT) with info-stealing features they are now tracking as ZenRAT.</p><p></p><p>The malicious website provides the fake Bitwarden package only to Windows users, otherwise, it redirects to a cloned page of an opensource.com article about the password manager.</p><p></p><p>When trying to download the Bitwarden version for Linux or Mac, the user is redirected to the official download page of the software, Proofpoint notes.</p><p></p><p>The malicious Bitwarden installer for Windows is delivered from crazygameis[.]com, another fake URL for the legitimate browser-based gaming platform CrazyGames.</p><p></p><p><img src="https://www.bleepstatic.com/images/news/u/1100723/ZenRAT_crazygameis.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><table style='width: 100%'><tr><td>Malicious Bitwarden payload delivery</td></tr></table><p>The researchers don't know how potential victims land on the fake Bitwarden site but phishing campaigns through Google ads have been used in the past to target Bitwarden users specifically.</p><p></p><p><strong>Stealing data, evading analysis</strong></p><p></p><p>Once running, ZenRAT uses WMI queries and other system tools to collect data about the host, which includes:</p><ul> <li data-xf-list-type="ul">CPU Name</li> <li data-xf-list-type="ul">GPU Name</li> <li data-xf-list-type="ul">OS Version</li> <li data-xf-list-type="ul">Installed RAM</li> <li data-xf-list-type="ul">IP address and Gateway</li> <li data-xf-list-type="ul">Installed Antivirus</li> <li data-xf-list-type="ul">Installed Applications</li> </ul><p>The details above are delivered to the command and control (C2) server in a ZIP archive that also includes data and credentials collected from the web browser.</p><p></p><p>Before communicating with the C2, though, ZenRAT makes sure that the host is not in a restricted region (Belarus, Kyrgyzstan, Kazakhstan, Moldova, Russia, and Ukraine).</p><p></p><p>The malware also checks if it is running in a virtual machine or a sandbox, a sign that researchers are analyzing it.</p><p></p><p>However, the researchers also discovered some strange information in the installer’s metadata, such as claiming to be the hardware info app Speccy, from Piriform.</p><p></p><p>Another peculiarity is data about the signer of the installer. Although the digital certificate is not valid, ZenRAT’s installer lists Tim Kosse, the developer of the open-source FileZilla FTP software, as the signer.</p><p></p><p>Despite having functions specific to an information stealer, Proofpoint has found evidence suggesting that the malware is designed to be modular and its capabilities can be expanded; however, no other modules have been observed in the wild.</p><p></p><p>The Bitwarden password manager has increased in popularity lately as it is regarded as a better alternative to other products on the market. With a growing user base, the software and its users become a target as cybercriminals take advantage.</p></blockquote><p></p>
[QUOTE="Jakesu, post: 39, member: 7"] Fake Bitwarden sites are pushing installers purportedly for the open-source password manager that carry a new password-stealing malware that security researchers call ZenRAT. The malware is distributed to Windows users through websites that imitate the legitimate Bitwarden site and rely on typosquatting to fool potential victims. [B]Focused on Windows users[/B] The purpose of ZenRAT is to collect browser data and credentials along with details about the infected host, a behavior consistent with an information stealer. Cybercriminals can use the details to create a fingerprint of the compromised system that can be used to access an account as if the legitimate user logged in. Security researchers at cybersecurity company Proofpoint discovered ZenRAT after receiving in August a sample of the malware from Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes. The distribution point was “a very convincing lookalike to the real bitwarden.com” with a domain name specifically selected to trick visitors into believing they were accessing the official resource - bitwariden[.]com. [URL='https://www.bleepstatic.com/images/news/u/1100723/ZenRAT_fake-site.png'][IMG]https://www.bleepstatic.com/images/news/u/1100723/ZenRAT_fake-site.png[/IMG][/URL] [TABLE] [TR] [TD]Fake Bitwarden site delivering ZenRAT[/TD] [/TR] [/TABLE] Inside the fake Bitwarden installation package, Proofpoint researchers found a malicious .NET executable that is a remote access trojan (RAT) with info-stealing features they are now tracking as ZenRAT. The malicious website provides the fake Bitwarden package only to Windows users, otherwise, it redirects to a cloned page of an opensource.com article about the password manager. When trying to download the Bitwarden version for Linux or Mac, the user is redirected to the official download page of the software, Proofpoint notes. The malicious Bitwarden installer for Windows is delivered from crazygameis[.]com, another fake URL for the legitimate browser-based gaming platform CrazyGames. [IMG]https://www.bleepstatic.com/images/news/u/1100723/ZenRAT_crazygameis.png[/IMG] [TABLE] [TR] [TD]Malicious Bitwarden payload delivery[/TD] [/TR] [/TABLE] The researchers don't know how potential victims land on the fake Bitwarden site but phishing campaigns through Google ads have been used in the past to target Bitwarden users specifically. [B]Stealing data, evading analysis[/B] Once running, ZenRAT uses WMI queries and other system tools to collect data about the host, which includes: [LIST] [*]CPU Name [*]GPU Name [*]OS Version [*]Installed RAM [*]IP address and Gateway [*]Installed Antivirus [*]Installed Applications [/LIST] The details above are delivered to the command and control (C2) server in a ZIP archive that also includes data and credentials collected from the web browser. Before communicating with the C2, though, ZenRAT makes sure that the host is not in a restricted region (Belarus, Kyrgyzstan, Kazakhstan, Moldova, Russia, and Ukraine). The malware also checks if it is running in a virtual machine or a sandbox, a sign that researchers are analyzing it. However, the researchers also discovered some strange information in the installer’s metadata, such as claiming to be the hardware info app Speccy, from Piriform. Another peculiarity is data about the signer of the installer. Although the digital certificate is not valid, ZenRAT’s installer lists Tim Kosse, the developer of the open-source FileZilla FTP software, as the signer. Despite having functions specific to an information stealer, Proofpoint has found evidence suggesting that the malware is designed to be modular and its capabilities can be expanded; however, no other modules have been observed in the wild. The Bitwarden password manager has increased in popularity lately as it is regarded as a better alternative to other products on the market. With a growing user base, the software and its users become a target as cybercriminals take advantage. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
Carding News
Fake Bitwarden sites push new ZenRAT password-stealing malware
Top