LilithBot is a new malware threat with an expansive set of threatening features that is being offered in a MaaS (Malware-as-a-Service) scheme. The threat is part of the hacker tools offered by a threat group tracked as Eternity (EternityTeam, Eternity Project). The cybercriminals have been active since at least January 2022 and have been linked to the Russian 'Jester Group.' Details about LilithBot and its developers have been revealed to the public in a report by cybersecurity researchers.
According to their findings, LilithBot is being offered to potential cybercriminal clients through a dedicated Telegram group and can be purchased by following a link leading to a website hosted on the Tor network. The site acts as a homepage for the Eternity hackers' products, with the most expensive tool being a ransomware threat.
When it comes to LilithBot, the threat is a sophisticated malware that combines the functionality of a botnet with that of a crypto-miner, clipper and stealer. Infosec researchers note that LilithBot has gone through several iterations during its development process, with commands present in earlier versions being removed in later releases. However, the researchers warn that the threat actors may still perform the removed functions, but in a stealthier way.
When activated on the infected system, the threat will first register itself as a bot. Next, LilithBot will decrypt itself to drop its configuration file on the device. The malware uses its own decrypting mechanism in an attempt to prevent being decrypted manually. The stealer component of the threat gathers information that includes browser history, cookies, and personal data, such as pictures. The obtained files are added to a ZIP archive before being sent to the Command-and-Control (C2, C&C) server of the operation.
LilithBot utilizes fake certificates to increase its chances of remaining undetected. However, the identified certificates appear to be issued by 'Microsoft Code Signing PCA 2011' but lack the proper verification and countersignature.