Malware detected after install of Bitwarden Windows

After installing Bitwarden for windows 2 Malwares + 57 suspicious behavior detected.

1 of 2 malwares code is an injection of malicious instructions in a running process. :scream:

Report can be foud here: hybrid-analysis sandbox bitwarden installation

Does anybody have analysed those detections ?

1 Like

OK, this is not an analysis. Just adding info, and any info added is not meant to refuse that there is a malware.

The link that you included shows a Falcon sandbox report on the v2023.3.2 BW installation file which

  1. Found a string that may be used as part of an injection method
  2. Flagged util.vbs as “BehavesLike.VBS.Dropper”

util.vbs appears to be flagged by McAfee-GW-Edition (VirusTotal) although this file appears to be distributed by Microsoft itself.

The sandboxes on VirusTotal don’t flag the installation file as suspicious (VirusTotal).

Going back to v2023.3.1, again, the sandboxes on VirusTotal don’t flag this version either. (VirusTotal), although Falcon Sandbox seems to flag the file similarly to v2023.3.2, without extracting and analyzing util.vbs (Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'Bitwarden-Installer-2023.3.1.exe').

If util.vbs is really distributed by Microsoft, and it has a malware behavior, then this issue is most likely widespread.

No clue about the suspicious injection string (MITRE T1055.004 Process Injection: Asynchronous Procedure Call, Sub-technique T1055.004 - Enterprise | MITRE ATT&CK®).

2 Likes

its clear VirusTotal

1 Like

Yes, and apparently, Falcon sandbox has been giving this suspicious/malicious verdict since the installer version 1.30.0 (Dec 2021).

1 Like

Thanks all, reviewing with the team.

1 Like

Did you get any explanation about the detections in the code of the Bitwarden app ?

Also note that in version 2023.4.0, even when no vendor flags it, there have been changes that triggers the scary looking “critical” crowdsourced sigma rule:

2023.4.0: VirusTotal

2023.3.2: VirusTotal

This looks scary enough for me to skip the updates for a few versions.

Thanks, sharing with the team.

OK, for 2023.5.0. All these warnings are gone now. Although the hybrid-analysis’ test on Windows 10 completely failed at this point.

@bw-admin Thanks for possibly addressing at least the oilrig sigma rule.