APT Hacker Group FIN7 Uses A Pentesting Tool to Infect Windows Machines

APT Hacker Group FIN7 Uses A Pentesting Tool to Infect Windows Machines

In the recent era, cyber crimes are happening quite often, and this is not the first time that a cybercriminal group pretending to be a legitimate security group and have impersonated its malware as a security analysis tool or Ethical hacking Tool.

However, BI.ZONE Cyber Threats Research Team has detected that the notorious FIN7 hacking group is disguising itself to be a legitimate security research group or organization and presenting their backdoor as a security-analysis tool.

The FIN7 hacking groups generally employees people, those who are not aware that they are working for the hacking group in an illegitimate way.

FIN7 is not a new hacking group, it has been attacking different organizations since 2015, and the key method of this hacking group is that they use different malware-laced phishing attacks upon various victims.

The main motive of using malware-laced phishing attacks is that they can easily infiltrate the whole system to steal key data like bank card details so that they can later sell them.

Recently, the researchers noticed that the threat actors of FIN7 are using a new type of backdoor, named “Lizar,” however, they are still testing and investigating the whole matter.

The security analysts have claimed that the backdoor is still active and it has already been widely used to control all the infected computers. 

Apart from all these things, the report also confirmed that most of the infected computer systems are Windows-based and belongs to the United States.

Lizar Toolkit of FIN7

The new Lizar toolkit of the FIN7 group contains several types of plugins and a loader, while all these are used to perform different types of tasks.

On the successful attack on the infected Windows machines, the attackers perform the toolkit which in turn simply allows them to connect the Lizar bot client and communicate with a remote server.

After investigating the toolkit the security analysts have detected three kinds of bots:-

  • DLLs
  • EXEs
  • PowerShell scripts

Moreover, when a specified action is performed by the attackers in the Lizar client app, it automatically executes the plugins that are sent from the server to the loader.

Since the bot offers a modular architecture, the Lizar toolkit becomes scalable, and the researchers also claimed that this Lizar toolkit is similar to the Carbanak.

Stages of The Plugins

In total there are six stages of the plugins’ lifecycle, and here they are mentioned below:-

  • In the interface of the Lizar client app, the user selects a command.
  • The information about the selected command only received by the server operated by Lizar.
  • From the plugins directory, the Lizar server finds the suitable plugin to sends it to the loader.
  • After that, the loader executes the plugin and reserves the plugin’s execution report in a specifically allocated area of memory on the heap.
  • Now the plugin’s execution report is retrieved by the server operated by Lizar to send them on to the client.
  • At last, the client app shows the plugin results.

Bot commands

  • Command Line – get CMD on the infected system.
  • Executer – launch an additional module.
  • Grabber – run one of the plugins that collect passwords in browsers, Remote Desktop Protocol, and Windows OS.
  • Info – retrieve information about the system.
  • Jump to – migrate the loader to another process.
  • Kill – stop plugin.
  • List Processes – get a list of processes.
  • Mimikatz – run Mimikatz.
  • Network analysis – run one of the plugins to retrieve Active Directory and network information.
  • New session – create another loader session (run a copy of the loader on the infected system).
  • Rat – run Carbanak.
  • Screenshot – take a screenshot.

The cybersecurity analysts have concluded that since the Lizar is a diverse and complicated toolkit we have to stay aware of it. Though this flaw is still under active development, but it’s already widely used to infect Windows-based systems.

While this new backdoor of the FIN7 group has mostly targeted the systems from the United States. So, the researchers have hinted that it’s not the end, as it’s the beginning. 

They have concluded that soon in recent time we will hear more about the Lizar-enabled attacks not from the United States only but also globally.

Researchers from antimalware firms and other security teams are recommended to add the following IoC to your rules and signatures to prevent your customer from this attack.

IP:

108.61.148.97
136.244.81.250
185.33.84.43
195.123.214.181
31.192.108.133
45.133.203.121

SHA256:

166b0c5e49c44f87886ecaad46e60b496b6b7512d1c57db41d9cf752fada95c8
188d76c31fa7f500799762237508203bdd1927ec4d5232cc189d46bc76b7a30d
1e5514e8f95dcf6dd7289acef6f6b88c460105660cb0c5b86ec7b854f70ee857
21850bb5d8df021e850e740c1899353f40af72f119f2cd71ad234e91c2ccb772
3b63eb184bea5b6515697ae3f13a57365f04e6a3309c79b18773291e62a64fcb
4d933b6b60a097ad5ce5876a66c569e6f46707b934ebd3c442432711af195124
515b94290111b7be80e001bfa2335d2f494937c8619cfdaafb2077d9d6af06fe
61cfe83259640df9f19df2be4b67bb1c6e5816ac52b8a5a02ee8b79bde4b2b70
fbd2d816147112bd408e26b1300775bbaa482342f9b33924d93fd71a5c312cce
a3b3f56a61c6dc8ba2aa25bdd9bd7dc2c5a4602c2670431c5cbc59a76e2b4c54
e908f99c6753a56440127e54ce990adbc5128d10edc11622d548ddd67e6662ac
7d48362091d710935726ab4d32bf594b363683e8335f1ee70ae2ae81f4ee36ca
e894dedb4658e006c8a85f02fa5bbab7ecd234331b92be41ab708fa22a246e25
b8691a33aa99af0f0c1a86321b70437efcf358ace1cf3f91e4cb8793228d1a62
bd1e5ea9556cb6cba9a509eab8442bf37ca40006c0894c5a98ce77f6d84b03c7
98fbccd9c2e925d2f7b8bcfa247790a681497dfb9f7f8745c0327c43db10952f
552c00bb5fd5f10b105ca247b0a78082bd6a63e2bab590040788e52634f96d11
21db55edc9df9e096fc994972498cbd9da128f8f3959a462d04091634a569a96

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Source: GBHackers

Leave a Reply