Lizar is a modular remote access tool written using the .NET Framework that shares structural similarities to Carbanak. It has likely been used by FIN7 since at least February 2021.[1][2][3]

ID: S0681
Associated Software: Tirion
Platforms: Windows
Contributors: Sittikorn Sangrattanapitak
Version: 1.0
Created: 02 February 2022
Last Modified: 15 April 2022

Associated Software Descriptions

Name Description


Techniques Used

Domain ID Name Use
Enterprise T1087 .003 Account Discovery: Email Account

Lizar can collect email accounts from Microsoft Outlook and Mozilla Thunderbird.[1]

Enterprise T1560 Archive Collected Data

Lizar has encrypted data before sending it to the server.[1]

Enterprise T1217 Browser Information Discovery

Lizar can retrieve browser history and database files.[2][1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Lizar has used PowerShell scripts.[1]

.003 Command and Scripting Interpreter: Windows Command Shell

Lizar has a command to open the command-line on the infected system.[2][1]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Lizar has a module to collect usernames and passwords stored in browsers.[1]

.004 Credentials from Password Stores: Windows Credential Manager

Lizar has a plugin that can retrieve credentials from Internet Explorer and Microsoft Edge using vaultcmd.exe and another that can collect RDP access credentials using the CredEnumerateW function.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Lizar can decrypt its configuration data.[1]

Enterprise T1573 Encrypted Channel

Lizar can support encrypted communications between the client and server.[2][1]

Enterprise T1105 Ingress Tool Transfer

Lizar can download additional plugins, files, and tools.[1]

Enterprise T1106 Native API

Lizar has used various Windows API functions on a victim's machine.[1]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Lizar can run Mimikatz to harvest credentials.[2][1]

Enterprise T1057 Process Discovery

Lizar has a plugin designed to obtain a list of processes.[2][1]

Enterprise T1055 Process Injection

Lizar can migrate the loader into another process.[1]

.001 Dynamic-link Library Injection

Lizar has used the PowerKatz plugin that can be loaded into the address space of a PowerShell process through reflective DLL loading.[1]

.002 Portable Executable Injection

Lizar can execute PE files in the address space of the specified process.[1]

Enterprise T1113 Screen Capture

Lizar can take JPEG screenshots of an infected system.[2][1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Lizar can search for processes associated with an anti-virus product from list.[1]

Enterprise T1082 System Information Discovery

Lizar can collect the computer name from the machine,.[1]

Enterprise T1016 System Network Configuration Discovery

Lizar can retrieve network information from a compromised host.[1]

Enterprise T1049 System Network Connections Discovery

Lizar has a plugin to retrieve information about all active network sessions on the infected server.[1]

Enterprise T1033 System Owner/User Discovery

Lizar can collect the username from the system.[1]

Groups That Use This Software

ID Name References
G0046 FIN7