Sometimes there are cases where the authors of a piece of malware are not the con actors themselves. People who create software often take an interest in malware too and end up developing a piece of malware, usually as a hobby project or an educational tool. This is all good and well until they decide to make it public or go even further and reveal the full source code of their creation. This is an ideal scenario for cyber crooks because obtaining new hacking tools is usually difficult or/and costly.
Having a new hacking utility served to them on a silver platter, for free, is something all cybercriminals dream of certainly. If tech literate enough, they can even modify the threat and weaponize it even further.
It would appear that this is exactly the case with the Lilith RAT. It seems that what started as a fun project by, in theory, a well-meaning individual quickly spiraled out of control once the threat’s source code was published. The creator of the Lilith RAT has put a disclaimer on the threat stating that his hacking tool is not to be used for unsafe purposes and should only serve as an educational tool.
Lilith RAT's authors claim that their product is as light-weight as it can get and, to be fair, their statement is true. The attacker does not get to use a Graphical User Interface (GUI) and, instead, the Lilith RAT is operated via a command line. Furthermore, the core module of the Lilith RAT is very simplified, but it is important to mention that its functionality can be extended greatly thanks to its modular structure. The most worrisome part about this is that the attackers do not need to use particular modules - they can use Lilith RAT's ability to execute arbitrary PowerShell code to drop 3rd-party keyloggers, info stealers, and similar hacking tools on the compromised host. The Lilith RAT can gain persistency by manipulating the Windows Registry.
The authors of the Lilith RAT have not updated their creation in about two years now, which has led some malware experts to believe that this project may have been abandoned. This does not make it any less hostile, though, because as we already mentioned, the source code is available publicly and cyber crooks can modify it and update it themselves.