New Trojan ZenRAT masquerades as Bitwarden password manager

Furthermore, the file’s digital signature — which is broken and invalid — claims to be that of the developer of the open-source Filezilla FTP/SFTP software.

When executed, the installer drops an executable called ApplicationRuntimeMonitor.exe into C:\Users\[username]\AppData\Roaming\Runtime Monitor\ and runs it. This file’s metadata again claims to be something else, an application created by Monitoring Legacy World Ltd.

Upon execution, ZenRAT collects system information and sends it to the command-and-control (C2) server. This includes the CPU and GPU names, the OS version, the amount of RAM, IP address and gateway address, the installed antivirus program, and a list of installed applications. In addition, it also captures credentials saved inside browsers and sends them to the C2 server as well.

The malware is a modular RAT

The communication between the RAT and the C2 includes commands that involve the execution and update of modules. These are components that enable various functionalities which attackers can deliver to victims if they so choose after analyzing the initially captured information.

“The existence of the Task and Module ID fields implies that ZenRAT is designed to be a modular, extendable implant,” the researchers said. “At this time, we have not observed other modules being used in the wild.”

Another interesting command is one that asks the trojan to send back the logs about the tasks it executed and completed back to the server. This includes various checks performed on the system, including the result of attempts to detect if it was executed in a virtual machine which could indicate an automated malware scanner. Another check is for the language of the system, the malware not installing on systems with languages from former Soviet Union countries. This is a common check that malware authors from Russia and the CIS countries perform on systems, supposedly to avoid becoming a focus of local law enforcement in their own countries.