drd4
(drd4)
April 8, 2023, 6:53pm
1
After installing Bitwarden for windows 2 Malwares + 57 suspicious behavior detected.
1 of 2 malwares code is an injection of malicious instructions in a running process.
Report can be foud here: hybrid-analysis sandbox bitwarden installation
Does anybody have analysed those detections ?
1 Like
OK, this is not an analysis. Just adding info, and any info added is not meant to refuse that there is a malware.
The link that you included shows a Falcon sandbox report on the v2023.3.2 BW installation file which
Found a string that may be used as part of an injection method
Flagged util.vbs as āBehavesLike.VBS.Dropperā
util.vbs appears to be flagged by McAfee-GW-Edition (VirusTotal ) although this file appears to be distributed by Microsoft itself.
The sandboxes on VirusTotal donāt flag the installation file as suspicious (VirusTotal ).
Going back to v2023.3.1, again, the sandboxes on VirusTotal donāt flag this version either. (VirusTotal ), although Falcon Sandbox seems to flag the file similarly to v2023.3.2, without extracting and analyzing util.vbs (Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'Bitwarden-Installer-2023.3.1.exe' ).
If util.vbs is really distributed by Microsoft, and it has a malware behavior, then this issue is most likely widespread.
No clue about the suspicious injection string (MITRE T1055.004 Process Injection: Asynchronous Procedure Call, Sub-technique T1055.004 - Enterprise | MITRE ATT&CKĀ® ).
2 Likes
Yes, and apparently, Falcon sandbox has been giving this suspicious/malicious verdict since the installer version 1.30.0 (Dec 2021).
1 Like
dwbit
(dwbit)
April 11, 2023, 7:11pm
5
Thanks all, reviewing with the team.
1 Like
drd4
(drd4)
May 9, 2023, 8:29pm
6
Did you get any explanation about the detections in the code of the Bitwarden app ?
Also note that in version 2023.4.0, even when no vendor flags it, there have been changes that triggers the scary looking ācriticalā crowdsourced sigma rule:
2023.4.0: VirusTotal
2023.3.2: VirusTotal
This looks scary enough for me to skip the updates for a few versions.
dwbit
(dwbit)
May 10, 2023, 11:29am
8
Thanks, sharing with the team.