S0681 Lizar
Lizar is a modular remote access tool written using the .NET Framework that shares structural similarities to Carbanak. It has likely been used by FIN7 since at least February 2021.132
| Item | Value |
|---|---|
| ID | S0681 |
| Associated Names | Tirion |
| Type | MALWARE |
| Version | 1.0 |
| Created | 02 February 2022 |
| Last Modified | 15 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Tirion | 12 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.003 | Email Account | Lizar can collect email accounts from Microsoft Outlook and Mozilla Thunderbird.1 |
| enterprise | T1560 | Archive Collected Data | Lizar has encrypted data before sending it to the server.1 |
| enterprise | T1217 | Browser Information Discovery | Lizar can retrieve browser history and database files.31 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Lizar has used PowerShell scripts.1 |
| enterprise | T1059.003 | Windows Command Shell | Lizar has a command to open the command-line on the infected system.31 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | Lizar has a module to collect usernames and passwords stored in browsers.1 |
| enterprise | T1555.004 | Windows Credential Manager | Lizar has a plugin that can retrieve credentials from Internet Explorer and Microsoft Edge using vaultcmd.exe and another that can collect RDP access credentials using the CredEnumerateW function.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Lizar can decrypt its configuration data.1 |
| enterprise | T1573 | Encrypted Channel | Lizar can support encrypted communications between the client and server.31 |
| enterprise | T1105 | Ingress Tool Transfer | Lizar can download additional plugins, files, and tools.1 |
| enterprise | T1106 | Native API | Lizar has used various Windows API functions on a victim’s machine.1 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | Lizar can run Mimikatz to harvest credentials.31 |
| enterprise | T1057 | Process Discovery | Lizar has a plugin designed to obtain a list of processes.31 |
| enterprise | T1055 | Process Injection | Lizar can migrate the loader into another process.1 |
| enterprise | T1055.001 | Dynamic-link Library Injection | Lizar has used the PowerKatz plugin that can be loaded into the address space of a PowerShell process through reflective DLL loading.1 |
| enterprise | T1055.002 | Portable Executable Injection | Lizar can execute PE files in the address space of the specified process.1 |
| enterprise | T1113 | Screen Capture | Lizar can take JPEG screenshots of an infected system.31 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Lizar can search for processes associated with an anti-virus product from list.1 |
| enterprise | T1082 | System Information Discovery | Lizar can collect the computer name from the machine,.1 |
| enterprise | T1016 | System Network Configuration Discovery | Lizar can retrieve network information from a compromised host.1 |
| enterprise | T1049 | System Network Connections Discovery | Lizar has a plugin to retrieve information about all active network sessions on the infected server.1 |
| enterprise | T1033 | System Owner/User Discovery | Lizar can collect the username from the system.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0046 | FIN7 | 32 |
References
-
BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Gemini Advisory. (2021, October 21). FIN7 Recruits Talent For Push Into Ransomware. Retrieved February 2, 2022. ↩↩↩
-
Seals, T. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022. ↩↩↩↩↩↩↩↩