The notorious financially-motivated FIN7 cybercrime leaders instill a backdoor, known as the Lizar, as a Windows pen-testing tool for ethical hackers. FIN7 is said to be a legitimate body that has been using the security analysis system. According to researchers, they take a lot of time for accuracy. These groups employ workers who don’t even know they deal with actual virus or their company is a true criminal organization.
Since 2015, FIN7 has been targeting casual restaurants, casinos, and hotels through point-of-sale systems. Typically, the gang uses malware-based phishing attempts to infiltrate networks to obtain and sell bank card data. Researchers have also made progress in adding ransomware/data scrapping to its mix since 2020, carefully picking revenue targets with the help of ZoomInfo service.
Its malware choice is continually evolving, sometimes using unprecedented samples that take experts by surprise. But its go-to toolbox is the Carbanak Remote Access Trojan (RAT), which is exceedingly intricate and complex compared to its peers in prior analyses. Carbanak is usually used for recognition and network support.
However, the gang was recently identified employing a new backdoor type, named Lizar by researchers. According to their recent investigation, the current version has been in operation since February with a robust set of data recovery and lateral movement capabilities.
“Lizar is a complicated and diverse toolkit,” the firm says. “It is still being developed and tested, but is now commonly used for controlling infected computers, especially in the US.”
Attacks on gambling organizations, a number of educational and pharmaceutical institutions in the United States, a Germany-based IT company, and an institution in Panama have so far been among its list of victims.
Within the Lizar Toolkit by FIN7
Researchers have suggested that the toolkit Lizar structurally resembles Carbanak. It has a loader and numerous plugins for specific purposes. They run jointly on an infected system and can be integrated with the bot client Lizar, which communicates with the remote server.
According to its analysis, the modular architecture of the bot makes it scalable and allows all of the components to be independently developed. “Three types of bots were found: DLL, EXE, and PowerShell scripts running DLL in the PowerShell process’s Address Space.
The plugins are given to the loader from the server and are executed according to the researchers when a given action is done in the Lizar client application.
The six stages of the plugins’ lifecycle are as follows:
- In the client application interface Lizar, the user selects a command;
- The Lizar server will receive the selected command information;
- The server identifies the appropriate plugin in the directory of plugins and provides it to the loader.
- The loader executes the plugin in a particularly assigned heap memory space and records the plugin execution results;
- The server retrieves and sends the results of the plugin to the customer;
- The application shows the results of the plugin.
The plugins are designed to load other instruments like Mimikatz or Carbanak, retrieve victim machine information, capture screenshots, collect passwords, extract browsing history, and more.
The specific bot commands are as follows:
- Command Line – get CMD on the infected system;
- Executer – launch an additional module;
- Grabber – run one of the plugins that collect passwords in browsers, Remote Desktop Protocol and Windows OS;
- Info – retrieve information about the system;
- Jump to – migrate the loader to another process;
- Kill – stop plugin;
- List Processes – get a list of processes;
- Mimikatz – run Mimikatz;
- Network analysis – run one of the plugins to retrieve Active Directory and network information;
- New session – create another loader session (run a copy of the loader on the infected system);
- Rat – run Carbanak; and
- Screenshot – take a screenshot.
Meantime, experts have revealed that the Lizar server program is created using the.NET framework and operates on remote Linux. Encoded communications with the bot client are supported.
Researchers explained that data was encoded before it was delivered to the server by a session key of between 5 and 15 bytes, followed by the configuration key (31 bytes). If the configuration key (31 bytes) doesn’t match the server key, no server data will be delivered.
Cybercriminals Posing as Security Researchers
Even for FIN7, it’s impressively ironic to stand as a security outfit and contribute to insecurity. In the past, researchers found that the threat actor advertised Carbanak as a tool for cybersecurity designed and developed by stalwarts from the same domain.
In earlier this year, two distinct attacks targeting security researchers were undertaken by a North Korean advanced persistent threat group (APT) named Zinc, which has links to the more infamous APT Lazarus.
By means of Twitter and LinkedIn, as well as other media platforms such as Discord and Telegram, the group used social-engineering efforts in January to develop trustworthy contacts with researchers while they appeared to be reputable researchers interested in offensive security.
In particular, attackers established contact by inviting researchers to cooperate in research on vulnerability. They showed their own legitimacy by publishing videos of exploits they have worked upon, including successfully working on an exploit for a vulnerability that was exploited as part of the major SolarWinds assault on Windows Defender.
Finally, the attackers sent targeted researchers a malicious code-infected Visual Studio project, which may deploy a backdoor on their machine, after a lot of correspondence. Victims can potentially be infected with a malicious Twitter link.
Infected security investigators during these attacks were using Windows 10 and Chrome browsers that were fully patched and updated, according to Google TAG, which indicated that hackers were using zero-day vulnerabilities in their campaign.
In April, Zinc used several of the same social media strategies to create Twitter and LinkedIn pages to a phony organization named “SecuriElite,” which was said to be an aggressive security outfit operating in Turkey. The firm promised to provide, pen tests along with assessments and exploits on software security and was recruiting cybersecurity specialists through LinkedIn actively.
To read more, please check eScan Blog
