FIN7 is Spreading a Backdoor Called Lizar

Under the pretext of being a Windows pen-testing platform for ethical hackers, the infamous FIN7 cybercrime gang, a financially motivated organization, is spreading a backdoor called Lizar. 

Since mid-2015, the Russian criminal advanced persistent threat group FIN7 has targeted the retail, restaurant, and hospitality sectors in the United States. Combi Security, the front company for FIN7, manages a portion of the operation. It has been dubbed one of the world’s most prolific criminal hacking organizations. FIN7 is also known as the Carbanak Group, but these two groups appear to be using the same Carbanak malware and are therefore monitored separately. 

FIN7 is posing as a legitimate company selling a security-analysis platform, according to the BI.ZONE Cyber Threats Research Team. According to the researchers, they go to great lengths to ensure authenticity: “These groups recruit workers who are unaware that they are dealing with actual malware or that their employer is a real criminal group.” 

The group usually targets victims with malware-laced phishing attacks in the hopes of infiltrating networks and selling bank-card data. It has also introduced ransomware/data exfiltration attacks to its arsenal since 2020, carefully choosing targets based on revenue using the ZoomInfo service, according to researchers. 

Its malware selection is often changing, with researchers sometimes being surprised by never-before-seen samples. However, the Carbanak remote-access trojan (RAT), which is highly complex and sophisticated in comparison to its peers, has been its go-to toolkit. Carbanak is commonly used for network reconnaissance and gaining a foothold. 

However, BI.ZONE researchers have recently discovered that the community is employing a new form of backdoor known as Lizar. According to an article published on Thursday, the new edition has been in use since February and provides a strong range of data extraction and lateral movement capabilities. 

 “Lizar is a diverse and complex toolkit,” according to the firm. “It is currently still under active development and testing, yet it is already being widely used to control infected computers, mostly throughout the United States.” 

Attacks on a gambling establishment, several educational institutions, and pharmaceutical firms in the United States, as well as an IT corporation headquartered in Germany and a financial institution in Panama, have been recorded so far.