Fake Bitwarden installation packages delivered RAT to Windows users

Windows users looking to install the Bitwarden password manager may have inadvertently installed a remote access trojan (RAT).

The ZenRAT malware

A malicious website spoofing Bitwarden’s legitimate one (located at bitwariden[.]com) has been offering fake installation packages containing the ZenRAT malware.

The fake Bitwarden website. (Source: Proofpoint)

The spoofed website and the booby-trapped Bitwarden installer was offered for download only to Windows users; Mac and Linux users were shown a different version of the landing page.

“The website instead masquerades as the legitimate website opensource.com, going so far as to clone an article from opensource.com by Scott Nesbitt, about the Bitwarden password manager. Additionally, if Windows users click download links marked for Linux or MacOS on the Downloads page, they are instead redirected to the legitimate Bitwarden site, vault.bitwarden.com,” Proofpoint researchers shared.

If the user clicks on the Windows download button, the fake installer gets downloaded on their device.

“The malware is a modular remote access trojan (RAT) with information stealing capabilities. It has an array of anti-VM and anti-sandbox checks that it performs on the host to determine whether it is safe to operate, including a geofencing check to make sure it won’t be installed in various Russian speaking areas,” Selena Larson, senior threat intelligence analyst at Proofpoint, told Help Net Security.

“It exhibits modular capability: modules which have specific functionality can be downloaded on command post-infection. The only module Proofpoint has observed in the wild so far is a browser information stealing module. The modules we observed required specific arguments in order to run on the infected host.”

Larson also told us that they observed the malware encrypting and uploading browser data and credentials from the module running on the infected system to the C2 server, alongside system information.

The only thing they don’t know is how the malware is being distributed, i.e., how the victims land on the spoofed page. In the past, fake software installers have been delivered via SEO poisoning, adware bundles, or via email.

Fake software installers often masquerading as legitimate apps

Fake software installers pretending to be legitimate applications are not new. Users are often searching for desktop or mobile apps to download, often hoping to find free versions of popular paid apps or services.

Knowing this, cybercriminals often leverage malvertising via Google Ads to lead them to fake installers.

“End users should be mindful of only downloading software directly from the trusted source, and always check the domains hosting software downloads against domains belonging to the official website. People should also be wary of ads in search engine results, since that seems to be a major driver of infections of this nature, especially within the last year,” Proofpoint researchers recommend.