FIN7, a financially motivated cybercrime group, is active again and using the Lizar malware. This malware is a backdoor that targets Windows-based systems and harvests all kinds of information. It is spreading under the guise of a Windows pentesting tool for ethical hackers.

What has happened?

According to BI.ZONE Cyber Threats Research Team, the cybercrime group is pretending to be a genuine organization that offers a security analysis tool that appears to be legitimate. 
  • Fin7 has attacked a gambling establishment, multiple educational institutions, and pharmaceutical firms in the U.S., a financial institution in Panama, and an IT firm in Germany.
  • The group has been using the latest version of the Lizar backdoor since February, which is found to have a powerful set of data retrieval and lateral movement capabilities.
  • Lizar is a complex toolkit and right now is under active development and testing stage, yet this malware toolkit is being used to control infected computers, mostly in the U.S.

The Lizar toolkit

The Lizar toolkit is structurally similar to Carbanak and consists of a loader and various plugins for different tasks. The loader and plugins can run together on an infected system and can logically be clubbed together as the Lizar bot client.
  • The bot has a modular architecture that makes it scalable and enables independent development of all components. Researchers detected three types of bots: DLLs, EXEs, and PowerShell scripts.
  • The plugins are delivered from the server to the loader and executed when a specific action is performed in the Lizar client application.
  • The plugins are created to load other tools such as Carbanak or Mimikatz, obtain information from the victim system, harvest credentials, retrieve browser histories, and take screenshots, to name a few.


FIN7 is actively upgrading its arsenal with new malware. This indicates that it may be planning to further sharpen its tools and techniques to make its attacks stealthier and more effective. Organizations are recommended to protect themselves with proper security measures, including email web gateways, anti-malware solutions, and providing training to employees.

Cyware Publisher