S0681 Lizar
Lizar is a modular remote access tool written using the .NET Framework that shares structural similarities to Carbanak. It has likely been used by FIN7 since at least February 2021.143
| Item | Value |
|---|---|
| ID | S0681 |
| Associated Names | Tirion, Icebot, DiceLoader |
| Type | MALWARE |
| Version | 2.0 |
| Created | 02 February 2022 |
| Last Modified | 03 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Tirion | 13 |
| Icebot | 2 |
| DiceLoader | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.003 | Email Account | Lizar can collect email accounts from Microsoft Outlook and Mozilla Thunderbird.1 |
| enterprise | T1560 | Archive Collected Data | Lizar has encrypted data before sending it to the server.1 |
| enterprise | T1217 | Browser Information Discovery | Lizar can retrieve browser history and database files.41 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Lizar has used PowerShell scripts.1 |
| enterprise | T1059.003 | Windows Command Shell | Lizar has a command to open the command-line on the infected system.41 |
| enterprise | T1059.006 | Python | Lizar has used Python scripts (ps2x.py script and ps2p.py) to execute files on remote hosts using the Impacket library.1 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | Lizar has a module to collect usernames and passwords stored in browsers.1 |
| enterprise | T1555.004 | Windows Credential Manager | Lizar has a plugin that can retrieve credentials from Internet Explorer and Microsoft Edge using vaultcmd.exe and another that can collect RDP access credentials using the CredEnumerateW function.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.002 | Non-Standard Encoding | Lizar has used a complex XOR operation to obfuscate C2 communications.5 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Lizar has decrypted its configuration data, such as the C2 IP address, ports and other network communication.15 |
| enterprise | T1573 | Encrypted Channel | Lizar can support encrypted communications between the client and server.412 |
| enterprise | T1105 | Ingress Tool Transfer | Lizar can download additional plugins, files, and tools.152 |
| enterprise | T1106 | Native API | Lizar has used various Windows API functions on a victim’s machine.1 |
| enterprise | T1095 | Non-Application Layer Protocol | Lizar has used a raw TCP connection to communicate with the C2 server.5 |
| enterprise | T1027 | Obfuscated Files or Information | Lizar has obfuscated the fingerprint of the victim system, the local IP address, and the Fowler-Noll-V 1 (FNV-1) hash of the local IP address using an XOR operation. The data is then sent to the C2 server.5 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | FIN7 has obtained and used tools such as Impacket, Mimikatz, and PsExec.1 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | Lizar can run Mimikatz to harvest credentials.41 |
| enterprise | T1057 | Process Discovery | Lizar has a plugin designed to obtain a list of processes.41 |
| enterprise | T1055 | Process Injection | Lizar can migrate the loader into another process.1 |
| enterprise | T1055.001 | Dynamic-link Library Injection | Lizar has used the PowerKatz plugin that can be loaded into the address space of a PowerShell process through reflective DLL loading.1 |
| enterprise | T1055.002 | Portable Executable Injection | Lizar can execute PE files in the address space of the specified process.1 |
| enterprise | T1620 | Reflective Code Loading | Lizar has used the Reflective DLL injection module from Github to inject itself into a process’s memory.5 |
| enterprise | T1113 | Screen Capture | Lizar can take JPEG screenshots of an infected system.41 Lizar has also used a plugin to take a screenshot of the infected system.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Lizar can search for processes associated with an anti-virus product from list.1 |
| enterprise | T1082 | System Information Discovery | Lizar can collect the computer name from the machine.15 |
| enterprise | T1016 | System Network Configuration Discovery | Lizar has retrieved network information from a compromised host, such as the MAC address.15 |
| enterprise | T1049 | System Network Connections Discovery | Lizar has a plugin to retrieve information about all active network sessions on the infected server.1 |
| enterprise | T1033 | System Owner/User Discovery | Lizar can collect the username from the system.15 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0046 | FIN7 | 43 |
References
-
BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Cocomazzi, Antonio. (2024, July 17). FIN7 Reboot | Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks. Retrieved September 24, 2025. ↩↩↩↩
-
Gemini Advisory. (2021, October 21). FIN7 Recruits Talent For Push Into Ransomware. Retrieved February 2, 2022. ↩↩↩
-
Seals, T. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022. ↩↩↩↩↩↩↩↩
-
Bourhis, P., Sekoia TDR. (2024, February 1). Unveiling the intricacies of DiceLoader. Retrieved May 14, 2025. ↩↩↩↩↩↩↩↩↩