Saturday, December 21, 2024
HomeMalwareAPT Hacker Group FIN7 Uses A Pentesting Tool to Infect Windows Machines

APT Hacker Group FIN7 Uses A Pentesting Tool to Infect Windows Machines

Published on

SIEM as a Service

In the recent era, cyber crimes are happening quite often, and this is not the first time that a cybercriminal group pretending to be a legitimate security group and have impersonated its malware as a security analysis tool or Ethical hacking Tool.

However, BI.ZONE Cyber Threats Research Team has detected that the notorious FIN7 hacking group is disguising itself to be a legitimate security research group or organization and presenting their backdoor as a security-analysis tool.

The FIN7 hacking groups generally employees people, those who are not aware that they are working for the hacking group in an illegitimate way.

- Advertisement - SIEM as a Service

FIN7 is not a new hacking group, it has been attacking different organizations since 2015, and the key method of this hacking group is that they use different malware-laced phishing attacks upon various victims.

The main motive of using malware-laced phishing attacks is that they can easily infiltrate the whole system to steal key data like bank card details so that they can later sell them.

Recently, the researchers noticed that the threat actors of FIN7 are using a new type of backdoor, named “Lizar,” however, they are still testing and investigating the whole matter.

The security analysts have claimed that the backdoor is still active and it has already been widely used to control all the infected computers. 

Apart from all these things, the report also confirmed that most of the infected computer systems are Windows-based and belongs to the United States.

Lizar Toolkit of FIN7

The new Lizar toolkit of the FIN7 group contains several types of plugins and a loader, while all these are used to perform different types of tasks.

On the successful attack on the infected Windows machines, the attackers perform the toolkit which in turn simply allows them to connect the Lizar bot client and communicate with a remote server.

After investigating the toolkit the security analysts have detected three kinds of bots:-

  • DLLs
  • EXEs
  • PowerShell scripts

Moreover, when a specified action is performed by the attackers in the Lizar client app, it automatically executes the plugins that are sent from the server to the loader.

Since the bot offers a modular architecture, the Lizar toolkit becomes scalable, and the researchers also claimed that this Lizar toolkit is similar to the Carbanak.

Stages of The Plugins

In total there are six stages of the plugins’ lifecycle, and here they are mentioned below:-

  • In the interface of the Lizar client app, the user selects a command.
  • The information about the selected command only received by the server operated by Lizar.
  • From the plugins directory, the Lizar server finds the suitable plugin to sends it to the loader.
  • After that, the loader executes the plugin and reserves the plugin’s execution report in a specifically allocated area of memory on the heap.
  • Now the plugin’s execution report is retrieved by the server operated by Lizar to send them on to the client.
  • At last, the client app shows the plugin results.

Bot commands

  • Command Line – get CMD on the infected system.
  • Executer – launch an additional module.
  • Grabber – run one of the plugins that collect passwords in browsers, Remote Desktop Protocol, and Windows OS.
  • Info – retrieve information about the system.
  • Jump to – migrate the loader to another process.
  • Kill – stop plugin.
  • List Processes – get a list of processes.
  • Mimikatz – run Mimikatz.
  • Network analysis – run one of the plugins to retrieve Active Directory and network information.
  • New session – create another loader session (run a copy of the loader on the infected system).
  • Rat – run Carbanak.
  • Screenshot – take a screenshot.

The cybersecurity analysts have concluded that since the Lizar is a diverse and complicated toolkit we have to stay aware of it. Though this flaw is still under active development, but it’s already widely used to infect Windows-based systems.

While this new backdoor of the FIN7 group has mostly targeted the systems from the United States. So, the researchers have hinted that it’s not the end, as it’s the beginning. 

They have concluded that soon in recent time we will hear more about the Lizar-enabled attacks not from the United States only but also globally.

Researchers from antimalware firms and other security teams are recommended to add the following IoC to your rules and signatures to prevent your customer from this attack.

IoC

IP:

108.61.148.97
136.244.81.250
185.33.84.43
195.123.214.181
31.192.108.133
45.133.203.121

SHA256:

166b0c5e49c44f87886ecaad46e60b496b6b7512d1c57db41d9cf752fada95c8
188d76c31fa7f500799762237508203bdd1927ec4d5232cc189d46bc76b7a30d
1e5514e8f95dcf6dd7289acef6f6b88c460105660cb0c5b86ec7b854f70ee857
21850bb5d8df021e850e740c1899353f40af72f119f2cd71ad234e91c2ccb772
3b63eb184bea5b6515697ae3f13a57365f04e6a3309c79b18773291e62a64fcb
4d933b6b60a097ad5ce5876a66c569e6f46707b934ebd3c442432711af195124
515b94290111b7be80e001bfa2335d2f494937c8619cfdaafb2077d9d6af06fe
61cfe83259640df9f19df2be4b67bb1c6e5816ac52b8a5a02ee8b79bde4b2b70
fbd2d816147112bd408e26b1300775bbaa482342f9b33924d93fd71a5c312cce
a3b3f56a61c6dc8ba2aa25bdd9bd7dc2c5a4602c2670431c5cbc59a76e2b4c54
e908f99c6753a56440127e54ce990adbc5128d10edc11622d548ddd67e6662ac
7d48362091d710935726ab4d32bf594b363683e8335f1ee70ae2ae81f4ee36ca
e894dedb4658e006c8a85f02fa5bbab7ecd234331b92be41ab708fa22a246e25
b8691a33aa99af0f0c1a86321b70437efcf358ace1cf3f91e4cb8793228d1a62
bd1e5ea9556cb6cba9a509eab8442bf37ca40006c0894c5a98ce77f6d84b03c7
98fbccd9c2e925d2f7b8bcfa247790a681497dfb9f7f8745c0327c43db10952f
552c00bb5fd5f10b105ca247b0a78082bd6a63e2bab590040788e52634f96d11
21db55edc9df9e096fc994972498cbd9da128f8f3959a462d04091634a569a96

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker...

Siemens UMC Vulnerability Allows Arbitrary Remote Code Execution

A critical vulnerability has been identified in Siemens' User Management Component (UMC), which could...

Foxit PDF Editor Vulnerabilities Allows Remote Code Execution

Foxit Software has issued critical security updates for its widely used PDF solutions, Foxit...

Windows 11 Privilege Escalation Vulnerability Lets Attackers Execute Code to Gain Access

Microsoft has swiftly addressed a critical security vulnerability affecting Windows 11 (version 23H2), which...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker...

Beware Of Malicious SharePoint Notifications That Delivers Xloader Malware

Through the use of XLoader and impersonating SharePoint notifications, researchers were able to identify...

Malicious Supply Chain Attacking Moving From npm Community To VSCode Marketplace

Researchers have identified a rise in malicious activity on the VSCode Marketplace, highlighting the...