Malware detected after install of Bitwarden Windows

drd4 · April 8, 2023, 6:53pm

After installing Bitwarden for windows 2 Malwares + 57 suspicious behavior detected.

1 of 2 malwares code is an injection of malicious instructions in a running process.

Report can be foud here: hybrid-analysis sandbox bitwarden installation

Does anybody have analysed those detections ?

Neuron5569 · April 10, 2023, 5:45am

OK, this is not an analysis. Just adding info, and any info added is not meant to refuse that there is a malware.

The link that you included shows a Falcon sandbox report on the v2023.3.2 BW installation file which

Found a string that may be used as part of an injection method
Flagged util.vbs as “BehavesLike.VBS.Dropper”

util.vbs appears to be flagged by McAfee-GW-Edition (VirusTotal) although this file appears to be distributed by Microsoft itself.

The sandboxes on VirusTotal don’t flag the installation file as suspicious (VirusTotal).

Going back to v2023.3.1, again, the sandboxes on VirusTotal don’t flag this version either. (VirusTotal), although Falcon Sandbox seems to flag the file similarly to v2023.3.2, without extracting and analyzing util.vbs (Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'Bitwarden-Installer-2023.3.1.exe').

If util.vbs is really distributed by Microsoft, and it has a malware behavior, then this issue is most likely widespread.

No clue about the suspicious injection string (MITRE T1055.004 Process Injection: Asynchronous Procedure Call, Sub-technique T1055.004 - Enterprise | MITRE ATT&CK®).

Eugene99 · April 10, 2023, 10:43am

its clear VirusTotal

Neuron5569 · April 10, 2023, 10:57am

Yes, and apparently, Falcon sandbox has been giving this suspicious/malicious verdict since the installer version 1.30.0 (Dec 2021).

bw-admin · April 11, 2023, 7:11pm

Thanks all, reviewing with the team.

drd4 · May 9, 2023, 8:29pm

Did you get any explanation about the detections in the code of the Bitwarden app ?

Neuron5569 · May 10, 2023, 1:26am

Also note that in version 2023.4.0, even when no vendor flags it, there have been changes that triggers the scary looking “critical” crowdsourced sigma rule:

2023.4.0: VirusTotal

2023.3.2: VirusTotal

This looks scary enough for me to skip the updates for a few versions.

bw-admin · May 10, 2023, 11:29am

Thanks, sharing with the team.

Neuron5569 · June 16, 2023, 2:15am

OK, for 2023.5.0. All these warnings are gone now. Although the hybrid-analysis’ test on Windows 10 completely failed at this point.

@bw-admin Thanks for possibly addressing at least the oilrig sigma rule.