ZenRAT: Novel Malware Distributed Via Fake Bitwarden Installers

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

A new remote access trojan (RAT), ZenRAT, was found to be concealed within fake installation packages of the password manager, Bitwarden.

Primarily targeting Windows users, this information stealing malware was hosted on a fake website impersonating Bitwarden, researchers at Proofpoint revealed . Although, the mode of distribution was not confirmed. Based on similar past instances, it’s believed that victims were directed to the dubious domains via phishing emails, SEO Poisoning, and adware bundles.

The seemingly legitimate website selectively displays the fake Bitwarden download to Windows users, while non-Window users are redirected to a cloned opensource.com article on ‘How to Manage Your Passwords with Bitwarden, a LastPass Alternative.’’

Moreover, Windows users clicking on Linux or MacOS download links are redirected to the legitimate Bitwarden site.

The counterfeit installer was first reported on VirusTotal in July 2023, under a different name. Claiming to be ‘’Piriform’s Speccy,’’ a gathering system software application, the installer also pretended to have the digital signature of Tim Kosse, an open-source software developer known for the Filezilla FTP/SFTP software.

ZenRAT, posing as an ApplicationRuntimeMonitor.exe, upon execution uses WMI queries and other system tools to gather information about the system. It gathers data like, IP address, CPU, GPU, and RAM details, OS version, installed applications and antivirus software.

Subsequently, these details along with browser credentials/data are transferred to its command and control (C2) server using a unique C2 protocol.

ZenRAT is configured to support different Command IDs, used for transmitting its logs in plaintext to the C2 server. These logs disclose various checks performed by the malware, including mutex creation, anti-virtualization, system, and geo-restriction checks. The investigation further revealed that the malware was designed to be a ‘’modular, extendable implant.’’

To mitigate such threats, Proofpoint researchers advise users to be careful of software application ads that appear in search engine results. ‘’End users should be mindful of only downloading software directly from the trusted source, and always check the domains hosting software downloads against domains belonging to the official website.‘’

T-Mobile Denies Data Breach While Exposing Few Customer Data in a System Glitch

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

Mobile telecom company, T-Mobile denied claims of being breached a third time this year. The incident came to light, when a threat actor going by the alias ’emo’ posted the leaked data on BreachForums for free.

The 90GB exfiltrated data posted on the hacking forum includes employee IDs, job titles, departments, rehire and termination dates, address, partial Social Security Numbers, email addresses, customer data, and other information.

However, T-Mobile has denied the alleged claim stating that the leaked data belongs to one of its authorized retailers. ‘’[..] The data being referred to online is believed to be related to an independently owned authorized retailer from their incident earlier this year. T-Mobile employee data was not exposed,’’ the company revealed.

By naming the post, ‘’T-Mobile | Connectivity Source (one of T-Mobile’s authorized retailers),’’ the hacker does connect the breach to both the companies; the post however claims the stolen data belongs to T-Mobile.

The news was first shared by malware researchers VX-Underground, who in tweets on X (formerly Twitter) claim the expose to be a result of T-Mobile’s April 2023, breach.

Over the years, the telecom giant has been breached several times. ‘’This is T-Mobile’s 8th breach since 2018,’’ VX-Underground states .

In addition to the hacking incident of last week, T-Mobile also suffered a system malfunction that accidentally exposed personal information of its customers. The breach was noticed when some customers complained about the issue on Reddit and X.

The posts mentioned that upon logging into the company’s app, customers could view other customers’ personal information, including plan and financial details. Regarding the incident, the company disclosed that the leak was due to an overnight update and involved less than 100 customers’ information.

Both the breach incidents either involve customer or employee information, which can be used by threat actors to commit financial frauds, send targeted phishing emails, or SMS messages.