![]() Looking at the details of the installer, we can see that the digital signature is not valid, but more interestingly, the installer is claiming to be Piriform’s Speccy – a software application for gathering system specifications.įigure 5: The file metadata for the malicious bitwarden installer claims that it is Speccy, an application that is used to gather information (specs) about the system on which the application is run. The malicious installer, Bitwarden-Installer-version-.exe appears to have been first reported on VirusTotal on 28 July 2023, under a different name CertificateUpdate-version1-102-90.įigure 4: So far, the installer sample has been seen twice in relatively close proximity under two entirely different names. The domain registrar for both domains appears to be NiceNIC International Group, while the sites themselves appear to be hosted on Cloudflare. This payload is hosted on the domain crazygameiscom, which as of this writing no longer appears to be hosting the payload:įigure 3: When Windows users click either the Download button or the desktop installer for Windows option, a request is made to crazygameiscom to retrieve the malicious Bitwarden installer. Clicking the Download button or the Desktop installer for Windows download button results in an attempt to download Bitwarden-Installer-version-.exe. Additionally, if Windows users click download links marked for Linux or MacOS on the Downloads page, they are instead redirected to the legitimate Bitwarden site,. The website instead masquerades as the legitimate website “”, going so far as to clone an article from by Scott Nesbitt, about the Bitwarden password manager. This screen capture was taken using Mozilla Firefox on Ubuntu 22.04. If a non-Windows user attempts to navigate to this domain, the page changes to something entirely different.įigure 2: If a non-Windows user attempts to visit the malicious website, they are instead redirected to a cloned article. The malicious website only displays the fake Bitwarden download if a user accesses it via a Windows host. It is uncertain as to how traffic is being directed to this domain. bears a remarkable resemblance in theme with. NET executable that we have dubbed “ZenRAT”.Īt this time, it is unknown how the malware is being distributed, however historic activities that have masqueraded as fake software installers have been delivered via SEO Poisoning, adware bundles, or via email.įigure 1: Fake Bitwarden website, bitwaridencom. Packaged with a standard Bitwarden installation package is a malicious. The sample was initially discovered on a website pretending to be associated with Bitwarden, bitwaridencom, a very convincing lookalike to the real. On 10 August 2023, Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes shared a malware sample that was being distributed as a part of a Windows software installation package. Proofpoint Emerging Threats often receives tips from the community leading to the investigation and detection of novel malware. The malware is a modular remote access trojan (RAT) with information stealing capabilities. ![]() At this time, it is unknown how the malware is being distributed. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |