1. Home
  2. Software
  3. Lizar

Lizar

Lizar is a modular remote access tool written using the .NET Framework that shares structural similarities to Carbanak. It has likely been used by FIN7 since at least February 2021.[1][2][3]

ID: S0681
Associated Software: Tirion
Type: MALWARE
Platforms: Windows
Contributors: Sittikorn Sangrattanapitak
Version: 1.0
Created: 02 February 2022
Last Modified: 15 April 2022
Version Permalink

Associated Software Descriptions

Name Description
Tirion

[1][3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .003 Account Discovery: Email Account

Lizar can collect email accounts from Microsoft Outlook and Mozilla Thunderbird.[1]

Enterprise T1560 Archive Collected Data

Lizar has encrypted data before sending it to the server.[1]
Enterprise T1217 Browser Information Discovery

Lizar can retrieve browser history and database files.[2][1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Lizar has used PowerShell scripts.[1]
.003 Command and Scripting Interpreter: Windows Command Shell

Lizar has a command to open the command-line on the infected system.[2][1]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Lizar has a module to collect usernames and passwords stored in browsers.[1]
.004 Credentials from Password Stores: Windows Credential Manager

Lizar has a plugin that can retrieve credentials from Internet Explorer and Microsoft Edge using vaultcmd.exe and another that can collect RDP access credentials using the CredEnumerateW function.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

Lizar can decrypt its configuration data.[1]
Enterprise T1573 Encrypted Channel

Lizar can support encrypted communications between the client and server.[2][1]
Enterprise T1105 Ingress Tool Transfer

Lizar can download additional plugins, files, and tools.[1]
Enterprise T1106 Native API

Lizar has used various Windows API functions on a victim's machine.[1]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Lizar can run Mimikatz to harvest credentials.[2][1]

Enterprise T1057 Process Discovery

Lizar has a plugin designed to obtain a list of processes.[2][1]
Enterprise T1055 Process Injection

Lizar can migrate the loader into another process.[1]
.001 Dynamic-link Library Injection

Lizar has used the PowerKatz plugin that can be loaded into the address space of a PowerShell process through reflective DLL loading.[1]

.002 Portable Executable Injection

Lizar can execute PE files in the address space of the specified process.[1]

Enterprise T1113 Screen Capture

Lizar can take JPEG screenshots of an infected system.[2][1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Lizar can search for processes associated with an anti-virus product from list.[1]

Enterprise T1082 System Information Discovery

Lizar can collect the computer name from the machine,.[1]

Enterprise T1016 System Network Configuration Discovery

Lizar can retrieve network information from a compromised host.[1]
Enterprise T1049 System Network Connections Discovery

Lizar has a plugin to retrieve information about all active network sessions on the infected server.[1]
Enterprise T1033 System Owner/User Discovery

Lizar can collect the username from the system.[1]

Groups That Use This Software

ID Name References
G0046 FIN7

[2][3]

References

  1. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
  2. Seals, T. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022.
  1. Gemini Advisory. (2021, October 21). FIN7 Recruits Talent For Push Into Ransomware. Retrieved February 2, 2022.