Newly Discovered ZenRAT Malware Targets Windows Users

Attack overview

• According to Proofpoint researchers, ZenRAT was initially discovered on a website pretending to be associated with the open-source password manager Bitwarden.
• If non-Windows users visited the bogus website, they were redirected to a cloned opensource[.]com article published in March 2018.
• The website lured users with a fake Bitwarden installer when accessed from Windows systems.
• However, if Windows users clicked on download links for Linux or macOS, they were redirected to the legitimate Bitwarden website.

More details about ZenRAT

• ZenRAT is a modular RAT with information-stealing capabilities. 
• Upon execution, it uses WMI queries and other system tools to gather system information, such as CPU name, GPU name, OS version, installed RAM, IP address, and installed antivirus and applications, from infected systems.
• The stolen information, including browser data and credentials, is sent back to the C2 server in a zip file called Data.zip. 

Information stealers continue to run rampant

• A new ValleyRAT malware was deployed alongside Sainbox RAT and Purple Fox malware in an attempt to steal sensitive information from Chinese-speaking users.
• A new Golang-based MetaStealer also appeared in the wild, targeting macOS systems. The malware was spotted a few days after the discovery of Atomic Stealer which masqueraded as a fake TradingView app to target macOS users. 

Conclusion