ZenRAT Malware Distributed by Spoofing Legitimate App

A new type of malicious software known as ZenRAT has surfaced in the wild. It is distributed through deceptive installation packages that mimic a legitimate password manager application.

Enterprise security firm Proofpoint has reported that ZenRAT specifically targets Windows users and redirects users on other operating systems to harmless web pages. This malware is a modular remote access trojan (RAT) capable of stealing information.

ZenRAT is found on counterfeit websites pretending to be affiliated with the genuine app. The means by which traffic is directed to these domains is unclear. In the past, similar malware has been spread through methods like phishing, malvertising, or SEO poisoning attacks.

The payload, which can be downloaded from crazygameis[.]com, is a tampered version of the standard app installation package, containing a malicious .NET executable called ApplicationRuntimeMonitor.exe.

An interesting aspect of this campaign is that non-Windows users who visit the deceptive website are redirected to a cloned article from opensource.com published in March 2018 about managing passwords using legitimate tools. Meanwhile, Windows users who click on download links labeled for Linux or macOS on the Downloads page are directed to the legitimate app's site.

ZenRAT Attempts to Disguise Itself

An examination of the installer's metadata shows that the threat actor attempted to disguise the malware as Speccy, a free Windows utility for displaying hardware and software information.

The digital signature used to sign the executable is not only invalid but also falsely claims to be signed by Tim Kosse, a well-known German computer scientist known for creating the free cross-platform FTP software FileZilla.

Upon launching, ZenRAT collects information about the host, including CPU and GPU details, the operating system version, browser credentials, installed applications, and security software. This information is sent to a command-and-control (C2) server (185.186.72[.]14) operated by the threat actors.

Proofpoint explains that the client initiates communication with the C2 server, and the first packet sent is consistently 73 bytes in size. ZenRAT is configured to transmit its logs to the server in plain text, which captures various system checks performed by the malware and the status of each module's execution. This highlights its functionality as a "modular, expandable implant."

By Zaib
September 28, 2023
Computer Security
English
September 28, 2023
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Malware

PC App Store Rogue Optimization App

PC App Store is the name of a potentially unwanted application that functions as adware, in addition to its advertised functionality. PC App Store can be broadly categorized as a rogue optimization app. It claims that... Read more

December 1, 2022
Malware

Clipgrab App and Malware Suspicions

Clipgrab is the name of an application available both for Windows and macOS. The intended purpose of Clipgrab is to allow users to download videos from online streaming sites. This functionality alone goes against the... Read more

December 2, 2021
Malware

Enigma Stealer Malware Distributed Using Malspam

TrendMicro researchers recently uncovered an active campaign that is targeting Eastern Europeans in the cryptocurrency industry. The attackers are using a fake job pretext to install a modified version of the... Read more

February 14, 2023
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.