Cyber Espionage: ZenRAT Strikes Windows Users
A new malware strain menacingly titled ZenRAT is on the loose, primarily attacking unsuspecting Windows users, according to enterprise security firm Proofpoint. In a brazen act of cyber trickery, the malware masquerades as the well-known Bitwarden password manager. However, the trickery doesn’t just stop there.
ZenRAT cleverly targets only Windows users, adeptly redirecting other operating system users to a benign web page. Disguising itself via fake installation packages of Bitwarden, the malicious software is capable of redirecting traffic to ill-intended websites whose affiliation to Bitwarden is nonexistent. The method of leading traffic to these dubious domains remains unclear.
In a twist of irony, the deceptive strain of malware displays its fullest wickedness by posing as Bitwarden, a tool designed to safely manage passwords. The infectious payload, notably named Bitwarden-Installer-version-2023-7-1.exe, is covertly harbored on crazygameis[.]com and carries within it a malignant .NET executable labeled as ApplicationRuntimeMonitor.exe.
To add to its camouflaging prowess, ZenRAT mimics Piriform’s Speccy by manipulating its metadata, Brashly, the invalid digital certificate it carries claims it is signed by Tim Kosse, a developer renowned for his work on FileZilla.
Once allowed into a host system, ZenRAT comes into full action by collecting host information and swiftly shipping it to a command-and-control server controlled by the threat actors. The malware exercises a modular and extendable implant role, transmitting logs in plaintext providing system checks and each module’s execution status. Unistalled applications, browser credentials, Operating system version, and even the specific GPU and CPU names are among the chillingly personal information ZenRAT is capable of swiping.
With the surfacing ZenRAT on the heels of the Lumma Stealer malware, cybersecurity experts insist on the importance of downloading software exclusively from trusted sources and actively checking website authenticity, to prevent such threats.
Lumma Stealer, which has been terrorizing the manufacturing, retail, and business industries since August 2023, uses similar disguises to ZenRAT by distributing itself via counterfeit installers, including those of Chrome and Edge browser. In a simultaneously emerging campaign, cyber thieves have been exploiting the names of respected platforms such as Google Business Profile and Google Sheets to discretely plant the Stealc malware under the appealing disguise of a security update.
To stay at par with the ever-evolving threatscape, individuals are encouraged to sign up for free cybersecurity news, insights, and tips. The continually mutating methods employed to spread malicious software, such as ZenRAT, demand ceaseless vigilance from every internet user.
If you enjoyed this article, please check out our other articles on CyberNow