A novel and concerning malware variant known as ZenRAT has surfaced in the digital landscape. This malware is being disseminated through deceptive installation packages masquerading as legitimate password manager software. It is worth noting that ZenRAT primarily focuses its malicious activities on Windows operating system users. To filter out its victims, users on other systems will be rerouted to harmless Web pages.
Cybersecurity experts have diligently examined and documented this emerging threat in a comprehensive technical report. According to their analysis, ZenRAT falls into the category of modular Remote Access trojans (RATs). Moreover, it exhibits the ability to stealthily exfiltrate sensitive information from infected devices, intensifying the potential risks it poses to victims and organizations.
ZenRAT Poses as a Legitimate Password Manager
ZenRAT is concealed within counterfeit websites, falsely posing as those for the legitimate application. The method by which traffic is funneled to these deceptive domains remains uncertain. Historically, this form of malware has been disseminated through a variety of means, including phishing, malvertising, and SEO poisoning attacks.
The payload retrieved from crazygameis(dot)com is a tampered version of the standard installation package, harboring a malicious .NET executable named ApplicationRuntimeMonitor.exe.
An intriguing aspect of this campaign is that users who inadvertently land on the fraudulent website from non-Windows systems are redirected to a duplicated article from opensource.com, originally published in March 2018. Furthermore, Windows users who click on download links designated for Linux or macOS on the Downloads page are rerouted to the official website of the legitimate program.
A ZenRAT Infection can Have Devastating Consequences
Once activated, ZenRAT collects information about the host system, including the CPU type, GPU model, operating system version, browser credentials, and a list of installed applications and security software. This data is then sent to a Command-and-Control (C2) server operated by the threat actors, which has the IP address 185.186.72[.]14.
The client establishes communication with the C2 server, and regardless of the command issued or any additional data transmitted, the initial packet sent is consistently 73 bytes in size.
ZenRAT is additionally configured to transmit its logs to the server in plain text. These logs record a series of system checks performed by the malware and provide information about the status of the execution of each module. This functionality highlights its role as a modular and expandable implant.
Threatening software is frequently distributed through files that pretend to be authentic application installers. It's crucial for ultimate consumers to exercise caution by exclusively downloading software from reputable sources and verifying that the domains hosting software downloads match those associated with the official website. Additionally, individuals should exercise caution when encountering advertisements in search engine results, as this has emerged as a significant source of infections of this kind, particularly in the past year.