Criminal multitool LilithBot arrives on malware-as-a-service scene
Bespoke botnet up for grabs from outfit praised for, er, customer service
A Russia based threat group that set up a malware distribution shop earlier this year is behind a Swiss Army knife-like botnet that comes with a range of other malicious capabilities, from stealing information to mining cryptocurrency.
That's according to researchers at Zscaler's ThreatLabz threat intelligence unit. It said the Eternity group – also known as EternityTeam and Eternity Project – is offering the multifunction LilithBot malware through a dedicated Telegram group and a Tor link where cybercriminals can acquire various payloads via subscriptions.
The malware as a service (MaaS) group has been active since at least January, distributing a range of modules under the Eternity brand that – along with the stealer and miner malware – include ransomware, a distributed denial-of-service (DDoS) bot, worm and dropper, and a clipper that spoofs crypto addresses in wallets, the researchers wrote in a report.
The Eternity group appears to be a high-functioning unit with a customer-friendly service, regularly updating its payloads, providing customized viruses, and creating viruses that come with add-on features an attacker might need. The price for the malware ranges from $90 to $470 and the group, which typically operates through Telegram, accepts payment in an array of cryptocurrencies, including Bitcoin, Ethereum, Monero, and Dash.
Some threat groups are turning to the as-a-service model as their main revenue generator or as an additional source of income to complement their other malicious activities. That includes not only MaaS but also ransomware- and access-as-a-service, where a group will gain initial access into a corporate network and then sell that access to other cybercriminals.
Other cybersecurity vendors have taken looks at the Eternity group. Sekoia in May wrote there were a number of reasons to believe that the "active and organized" threat group – which it dubbed EternityTeam – could become a prominent malware seller. Those included the capability of the malware itself, the number of Eternity Stealer samples found in the wild, the group's efforts in marketing, and that the "'project' of the Eternity threat group has been 'verified and approved' by the administrators of several cybercrime forums in early February 2022, as a guarantee of the worthiness of the products they sell," the Sekoia researchers wrote.
It now appears that the Eternity group – which is linked to the Russian malware gang Jester Group – is offering some of its malware modules in LilithBot, which ThreatLabz analysts said they identified in July when a sample appeared in their database.
"In this campaign, the threat actor registers the user on its botnet and steals files and user information by uploading it to a command-and-control (C2) server using the Tor network," they wrote. "In this campaign, the malware uses fake certificates to bypass detections."
They have found multiple variants with slight differences in the primary function that have changed as the malware has evolved, including several commands that were present in earlier variants that are not seen in the most recent one. Those include a method for checking for the presence of dynamic link libraries (DLLs) and for checking for various physical connection ports.
- Want to sneak a RAT into Windows? Buy Quantum Builder on the dark web
- LokiLocker ransomware family spotted with built-in wiper
- Dark Utilities C2 service draws thousands of cyber criminals
- Malware targeting cash machines fetches top dollar on dark web
The DLLs referred to are related to virtual software like Sandboxie, 360 Total Security, Avast, and COMODO Avs. The checking for Win32_PortConnector is to ensure that it's a physical system rather than a virtual machine, according to the researchers.
"It is likely that the group is still performing these functions, but doing so in more sophisticated ways: such as performing it dynamically, encrypting the functions like other regions of code, or using other advanced tactics," they wrote.
LilithBot compromises the targeted system by registering as a bot, they wrote. It then decrypts itself, dropping its configuration file. The malware sues its own decrypting tool so that security teams can decrypt it manually.
Once in, it creates a zip file that includes multiple directories to store such information as browser history, cookies, and such personal information as pictures. The files are uploaded into the zip file, which is sent to a command-and-control (C2) server via the Tor network.
To evade detection, LilithBot also uses fake certificates.
"A legitimate Microsoft-signed file is issued by the 'Microsoft Code Signing PCA' certificate authority, and will also display a countersignature from Verisign," the ThreatLabz analysts wrote.
"However, we have seen that the fake certificates in LilithBot have no countersignature, and appear to have been issued by 'Microsoft Code Signing PCA 2011,' which was not verified." ®