Sunday, July 14, 2024

APT Hacker Group FIN7 Uses A Pentesting Tool to Infect Windows Machines

In the recent era, cyber crimes are happening quite often, and this is not the first time that a cybercriminal group pretending to be a legitimate security group and have impersonated its malware as a security analysis tool or Ethical hacking Tool.

However, BI.ZONE Cyber Threats Research Team has detected that the notorious FIN7 hacking group is disguising itself to be a legitimate security research group or organization and presenting their backdoor as a security-analysis tool.

The FIN7 hacking groups generally employees people, those who are not aware that they are working for the hacking group in an illegitimate way.

FIN7 is not a new hacking group, it has been attacking different organizations since 2015, and the key method of this hacking group is that they use different malware-laced phishing attacks upon various victims.

The main motive of using malware-laced phishing attacks is that they can easily infiltrate the whole system to steal key data like bank card details so that they can later sell them.

Recently, the researchers noticed that the threat actors of FIN7 are using a new type of backdoor, named “Lizar,” however, they are still testing and investigating the whole matter.

The security analysts have claimed that the backdoor is still active and it has already been widely used to control all the infected computers. 

Apart from all these things, the report also confirmed that most of the infected computer systems are Windows-based and belongs to the United States.

Lizar Toolkit of FIN7

The new Lizar toolkit of the FIN7 group contains several types of plugins and a loader, while all these are used to perform different types of tasks.

On the successful attack on the infected Windows machines, the attackers perform the toolkit which in turn simply allows them to connect the Lizar bot client and communicate with a remote server.

After investigating the toolkit the security analysts have detected three kinds of bots:-

  • DLLs
  • EXEs
  • PowerShell scripts

Moreover, when a specified action is performed by the attackers in the Lizar client app, it automatically executes the plugins that are sent from the server to the loader.

Since the bot offers a modular architecture, the Lizar toolkit becomes scalable, and the researchers also claimed that this Lizar toolkit is similar to the Carbanak.

Stages of The Plugins

In total there are six stages of the plugins’ lifecycle, and here they are mentioned below:-

  • In the interface of the Lizar client app, the user selects a command.
  • The information about the selected command only received by the server operated by Lizar.
  • From the plugins directory, the Lizar server finds the suitable plugin to sends it to the loader.
  • After that, the loader executes the plugin and reserves the plugin’s execution report in a specifically allocated area of memory on the heap.
  • Now the plugin’s execution report is retrieved by the server operated by Lizar to send them on to the client.
  • At last, the client app shows the plugin results.

Bot commands

  • Command Line – get CMD on the infected system.
  • Executer – launch an additional module.
  • Grabber – run one of the plugins that collect passwords in browsers, Remote Desktop Protocol, and Windows OS.
  • Info – retrieve information about the system.
  • Jump to – migrate the loader to another process.
  • Kill – stop plugin.
  • List Processes – get a list of processes.
  • Mimikatz – run Mimikatz.
  • Network analysis – run one of the plugins to retrieve Active Directory and network information.
  • New session – create another loader session (run a copy of the loader on the infected system).
  • Rat – run Carbanak.
  • Screenshot – take a screenshot.

The cybersecurity analysts have concluded that since the Lizar is a diverse and complicated toolkit we have to stay aware of it. Though this flaw is still under active development, but it’s already widely used to infect Windows-based systems.

While this new backdoor of the FIN7 group has mostly targeted the systems from the United States. So, the researchers have hinted that it’s not the end, as it’s the beginning. 

They have concluded that soon in recent time we will hear more about the Lizar-enabled attacks not from the United States only but also globally.

Researchers from antimalware firms and other security teams are recommended to add the following IoC to your rules and signatures to prevent your customer from this attack.





You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles