Security researchers have observed an unknown threat actor using phony websites that imitate Bitwarden to trick users into downloading and installing a new information-stealing malware called ZenRAT.
The fake website is nearly identical to the legitimate Bitwarden password manager download site. The only difference is that the imposter site is hosted on a carefully typo-squatted domain, bitwariden[.]com.
Screenshot of the fake download site. Source: Bleeping Computer.
Users are only directed to the malicious installer if they choose the Windows download option. Otherwise, the user is directed to the official Bitwarden site for Mac and Linux downloads.
Although the fake site is hosted on bitwariden[.]com, the ZenRAT install is pulled from crazygameis[.]com, another typo-squatted domain.
Once installed, ZenRAT malware is capable of collecting data from its victim’s system and browser, including credentials, and subsequently uploading the data to a command and control (C2) server. Interestingly, before communicating with the C2, ZenRAT ensures that its victim is not in Belarus, Kyrgyzstan, Kazakhstan, Moldova, Russia, or Ukraine.
Researchers aren’t certain how victims find their way to the fake Bitwarden site. However, they noted that phishing campaigns and sponsored ads have historically been used for this purpose.
The popularity of Bitwarden and other password management software has increased as internet users adopt stronger and more complex passwords. However, this increased complexity also makes passwords harder to remember, thus users are increasingly turning to password managers to secure password storage.
The cruel irony of this campaign cannot be overlooked. Users seeking to download legitimate software to secure their passwords instead receive malware designed to steal their passwords. Obviously, the threat actor behind this campaign dug deep into their bag of evil tricks while conceiving it.
Field Effect was unable to observe any sponsored search advertisements for the fake Bitwarden download site, however, Field Effect did recently observe IcedID actors using a Google ad to direct users to a fake Webex download site that hosted a trojanized Webex download file. Therefore, it’s plausible that this is how potential victims are being directed to the fake download site.
Field Effect recommends that users scrutinize the results of searches for software they intend to download and install. Check for things like spelling mistakes, poor grammar, typo-squatted domains, and inconsistent branding before downloading any files.