Lizar Backdoor

A complex phishing operation is delivering a new sophisticated backdoor threat called Lizar. The campaign is believed to be carried out by the financially-motivated FIN7 cybercriminal group. The hackers pose as a legitimate organization that is offering a Windows penetration testing tool geared towards morally conscious hackers. However, instead, the targeted victims are infected with the Lizar malware that gives the threat actor control over the compromised computer and the ability to move laterally inside the organization's network. The FIN7 hackers have put in extensive efforts to make themselves appear as legitimate as possible, even hiring employees that are kept in the dark about the fact that they are used to promote and deliver a real malware threat, according to the findings of the BI.ZONE Cyber Threats Research Team. 

The Lizar Backdoor's Functionality

The main functionality of the Lizar Backdoor is the exfiltration of data from the infected computers and spreading itself to other devices connected to the victim's internal network. The malware shows signs of being under active development and still undergoing testing. Even at this stage, the Lizar Backdoor is potent enough to have been deployed in multiple attacks against targets located in several countries. Most of the victims were from the U.S. and included educational institutions, pharmaceutical companies, and a gambling organization. The Lizar Backdoor also has been leveraged against an IT company headquartered in Germany and a financial organization from Panama. 

The Lizar Backdoor's Structure

Structurally, the Lizar Backdoor appears to be based on the Carbanak RAT, FIN7’s most commonly deployed threatening tool. Lizar consists of a loader segment and numerous plugins, each responsible for a different task. All of the components that run on the compromised machine can be combined into a bot client that carries the remote server communication. The modular structure of the malware allows the hacker to scale and mold it according to their particular needs as each plugin can be developed separately. So far, three types of client bots have been observed - DLL, EXE, and PowerShell Scripts that execute a DLL in the address space of the PowerShell process. The remote server for the threat was created using the .NET framework and is run on a remote Linux host. 

The Lizar Backdoor plugins can perform a wide range of harmful actions including the delivery and execution of additional malware payloads such as Mimikatz or the Carbanak RAT. Furthermore, the threat actor can access and exfiltrate information, take arbitrary screenshots, harvest credentials, collect browser histories and more. Before any data is delivered to the remote server, it is encrypted on a session key between 5 and 15 bytes long and then again on a key found in the configuration. If the specified key doesn't match the one on the server, no data will be transferred.