Skip to content

S0681 Lizar

Lizar is a modular remote access tool written using the .NET Framework that shares structural similarities to Carbanak. It has likely been used by FIN7 since at least February 2021.132

Item Value
ID S0681
Associated Names Tirion
Version 1.0
Created 02 February 2022
Last Modified 15 April 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Tirion 12

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.003 Email Account Lizar can collect email accounts from Microsoft Outlook and Mozilla Thunderbird.1
enterprise T1560 Archive Collected Data Lizar has encrypted data before sending it to the server.1
enterprise T1217 Browser Information Discovery Lizar can retrieve browser history and database files.31
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Lizar has used PowerShell scripts.1
enterprise T1059.003 Windows Command Shell Lizar has a command to open the command-line on the infected system.31
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Lizar has a module to collect usernames and passwords stored in browsers.1
enterprise T1555.004 Windows Credential Manager Lizar has a plugin that can retrieve credentials from Internet Explorer and Microsoft Edge using vaultcmd.exe and another that can collect RDP access credentials using the CredEnumerateW function.1
enterprise T1140 Deobfuscate/Decode Files or Information Lizar can decrypt its configuration data.1
enterprise T1573 Encrypted Channel Lizar can support encrypted communications between the client and server.31
enterprise T1105 Ingress Tool Transfer Lizar can download additional plugins, files, and tools.1
enterprise T1106 Native API Lizar has used various Windows API functions on a victim’s machine.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Lizar can run Mimikatz to harvest credentials.31
enterprise T1057 Process Discovery Lizar has a plugin designed to obtain a list of processes.31
enterprise T1055 Process Injection Lizar can migrate the loader into another process.1
enterprise T1055.001 Dynamic-link Library Injection Lizar has used the PowerKatz plugin that can be loaded into the address space of a PowerShell process through reflective DLL loading.1
enterprise T1055.002 Portable Executable Injection Lizar can execute PE files in the address space of the specified process.1
enterprise T1113 Screen Capture Lizar can take JPEG screenshots of an infected system.31
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Lizar can search for processes associated with an anti-virus product from list.1
enterprise T1082 System Information Discovery Lizar can collect the computer name from the machine,.1
enterprise T1016 System Network Configuration Discovery Lizar can retrieve network information from a compromised host.1
enterprise T1049 System Network Connections Discovery Lizar has a plugin to retrieve information about all active network sessions on the infected server.1
enterprise T1033 System Owner/User Discovery Lizar can collect the username from the system.1

Groups That Use This Software

ID Name References
G0046 FIN7 32