FIN7, a dangerous and widely documented malicious hacking group, is employing a backdoor identified as Lizar disguised as a pentesting tool for Windows systems. According to researchers from security firm BI.ZONE, hackers pretend to be a legitimate organization that sells a cybersecurity tool that actually concealed the backdoor.
FIN7 hackers, active since 2015, focus on the compromise of point-of-sale (PoS) systems in restaurants, hotels and casinos, among other places. Reports have been published for a few months that the group has diversified its actions, employing data theft, ransomware attacks and social engineering campaigns to its wide repertoire of tricks.
The most recent addition to this group’s arsenal is the backdoor Lizar, which brings together multiple hacking capabilities such as data collection and lateral movement: “Lizar is a very complex tool; even though it is in development, some hacker groups are already using that tool to take control of infected devices,” the BI.ZONE report mentions.
Experts mention that Lizar is very similar to Carbanak, as both consist of a loader and several plugins that are used for different tasks. Together, they run on the compromised device and can be combined into the Lizar bot client, which in turn communicates with a remote server. Experts detected three types of bots: DLLs, EXE, and PowerShell scripts, that run a DLL in the address space of the PowerShell process.
Plugins are sent from the server to the loader and run when a certain action is performed in the Lizar client application, according to BI.ZONE. The six stages of the lifecycle of these malicious plugins are described below:
- The user selects a command in the Lizar client application interface
- Lizar’s server receives information about the selected command
- The server finds a plugin in the plugin directory and then sends it to the loader
- The loader runs the plugin and stores the result of the plug-in execution in a specially allocated memory area on the heap
- The server retrieves the results of the plug-in run and sends them to the client
- The client application displays the results of the plugin execution
As mentioned at the beginning, criminals have resorted to an unusual technique to propagate this backdoor, posing as employees of security firms who distribute a tool developed by firms such as Forcepoint or Check Point Software. Hackers implement ambitious social engineering campaigns using platforms such as Twitter or LinkedIn and even Discord or Telegram to contact system administrators and security researchers, convincing them to try the malicious tool.
The approximate number of security incidents associated with this campaign is unknown so far, although researchers expect greater certainty about the scope of these attacks in the coming weeks.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.