APT Hacker Group FIN7 Uses A Pentesting Tool to Infect Windows Machines

In the recent era, cyber crimes are happening quite often, and this is not the first time that a cybercriminal group pretending to be a legitimate security group and have impersonated its malware as a security analysis tool or Ethical hacking Tool.

However, BI.ZONE Cyber Threats Research Team has detected that the notorious FIN7 hacking group is disguising itself to be a legitimate security research group or organization and presenting their backdoor as a security-analysis tool.

The FIN7 hacking groups generally employees people, those who are not aware that they are working for the hacking group in an illegitimate way.

FIN7 is not a new hacking group, it has been attacking different organizations since 2015, and the key method of this hacking group is that they use different malware-laced phishing attacks upon various victims.

The main motive of using malware-laced phishing attacks is that they can easily infiltrate the whole system to steal key data like bank card details so that they can later sell them.

Recently, the researchers noticed that the threat actors of FIN7 are using a new type of backdoor, named “Lizar,” however, they are still testing and investigating the whole matter.

The security analysts have claimed that the backdoor is still active and it has already been widely used to control all the infected computers. 

Apart from all these things, the report also confirmed that most of the infected computer systems are Windows-based and belongs to the United States.

Lizar Toolkit of FIN7

The new Lizar toolkit of the FIN7 group contains several types of plugins and a loader, while all these are used to perform different types of tasks.

On the successful attack on the infected Windows machines, the attackers perform the toolkit which in turn simply allows them to connect the Lizar bot client and communicate with a remote server.

After investigating the toolkit the security analysts have detected three kinds of bots:-

  • DLLs
  • EXEs
  • PowerShell scripts

Moreover, when a specified action is performed by the attackers in the Lizar client app, it automatically executes the plugins that are sent from the server to the loader.

Since the bot offers a modular architecture, the Lizar toolkit becomes scalable, and the researchers also claimed that this Lizar toolkit is similar to the Carbanak.

Stages of The Plugins

In total there are six stages of the plugins’ lifecycle, and here they are mentioned below:-

  • In the interface of the Lizar client app, the user selects a command.
  • The information about the selected command only received by the server operated by Lizar.
  • From the plugins directory, the Lizar server finds the suitable plugin to sends it to the loader.
  • After that, the loader executes the plugin and reserves the plugin’s execution report in a specifically allocated area of memory on the heap.
  • Now the plugin’s execution report is retrieved by the server operated by Lizar to send them on to the client.
  • At last, the client app shows the plugin results.

Bot commands

  • Command Line – get CMD on the infected system.
  • Executer – launch an additional module.
  • Grabber – run one of the plugins that collect passwords in browsers, Remote Desktop Protocol, and Windows OS.
  • Info – retrieve information about the system.
  • Jump to – migrate the loader to another process.
  • Kill – stop plugin.
  • List Processes – get a list of processes.
  • Mimikatz – run Mimikatz.
  • Network analysis – run one of the plugins to retrieve Active Directory and network information.
  • New session – create another loader session (run a copy of the loader on the infected system).
  • Rat – run Carbanak.
  • Screenshot – take a screenshot.

The cybersecurity analysts have concluded that since the Lizar is a diverse and complicated toolkit we have to stay aware of it. Though this flaw is still under active development, but it’s already widely used to infect Windows-based systems.

While this new backdoor of the FIN7 group has mostly targeted the systems from the United States. So, the researchers have hinted that it’s not the end, as it’s the beginning. 

They have concluded that soon in recent time we will hear more about the Lizar-enabled attacks not from the United States only but also globally.

Researchers from antimalware firms and other security teams are recommended to add the following IoC to your rules and signatures to prevent your customer from this attack.





You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Please enter your comment!
Please enter your name here