1. Home
  2. Software
  3. Lizar

Lizar

Lizar is a modular remote access tool written using the .NET Framework that shares structural similarities to Carbanak. It has likely been used by FIN7 since at least February 2021.[1][2][3]

ID: S0681
Associated Software: Tirion
Type: MALWARE
Platforms: Windows
Contributors: Sittikorn Sangrattanapitak
Version: 1.0
Created: 02 February 2022
Last Modified: 15 April 2022

Associated Software Descriptions

Name Description
Tirion

[1][3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

Lizar has a module to collect usernames and passwords stored in browsers.[1]
.004 从密码存储中获取凭证: Windows Credential Manager

Lizar has a plugin that can retrieve credentials from Internet Explorer and Microsoft Edge using vaultcmd.exe and another that can collect RDP access credentials using the CredEnumerateW function.[1]
Enterprise T1573 加密通道

Lizar can support encrypted communications between the client and server.[2][1]
Enterprise T1140 反混淆/解码文件或信息

Lizar can decrypt its configuration data.[1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Lizar has used PowerShell scripts.[1]
.003 命令与脚本解释器: Windows Command Shell

Lizar has a command to open the command-line on the infected system.[2][1]

Enterprise T1113 屏幕捕获

Lizar can take JPEG screenshots of an infected system.[2][1]

Enterprise T1560 归档收集数据

Lizar has encrypted data before sending it to the server.[1]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

Lizar can run Mimikatz to harvest credentials.[2][1]

Enterprise T1106 本机API

Lizar has used various Windows API functions on a victim's machine.[1]

Enterprise T1217 浏览器信息发现

Lizar can retrieve browser history and database files.[2][1]

Enterprise T1082 系统信息发现

Lizar can collect the computer name from the machine,.[1]

Enterprise T1033 系统所有者/用户发现

Lizar can collect the username from the system.[1]

Enterprise T1049 系统网络连接发现

Lizar has a plugin to retrieve information about all active network sessions on the infected server.[1]
Enterprise T1016 系统网络配置发现

Lizar can retrieve network information from a compromised host.[1]
Enterprise T1087 .003 账号发现: Email Account

Lizar can collect email accounts from Microsoft Outlook and Mozilla Thunderbird.[1]

Enterprise T1518 .001 软件发现: Security Software Discovery

Lizar can search for processes associated with an anti-virus product from list.[1]

Enterprise T1105 输入工具传输

Lizar can download additional plugins, files, and tools.[1]
Enterprise T1057 进程发现

Lizar has a plugin designed to obtain a list of processes.[2][1]
Enterprise T1055 进程注入

Lizar can migrate the loader into another process.[1]
.001 Dynamic-link Library Injection

Lizar has used the PowerKatz plugin that can be loaded into the address space of a PowerShell process through reflective DLL loading.[1]

.002 Portable Executable Injection

Lizar can execute PE files in the address space of the specified process.[1]

Groups That Use This Software

ID Name References
G0046 FIN7

[2][3]

References

  1. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
  2. Seals, T. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022.
  1. Gemini Advisory. (2021, October 21). FIN7 Recruits Talent For Push Into Ransomware. Retrieved February 2, 2022.