In May, threat actors launched a multipurpose cybercrime service that claimed to benefit both low-skilled and sophisticated attackers. Dubbed Eternity Project, it soon became a popular Malware-as-a-Service (MaaS). Now, the threat actor has come up with a multi-function malware, named LilithBot. The Eternity Group is, in turn, associated with the Russian Jester Group.
Diving into details
- LilithBot is disseminated through a dedicated Telegram channel, which can be purchased via Tor. The malware can be used as a stealer, clipper, and a miner, and possesses advanced persistence mechanisms.
- The malware registers on the system and decrypts layer by layer, deploying the configuration file. It leverages several field types such as encoding key, license key, and GUID encrypted via AES.
- Subsequently, LilithBot steals all the information and uploads itself as a ZIP file to its C2.
LilithBot variants
Researchers observed two variants of the malware with slight variations between them. The latest strain doesn’t include several functions present in the older variant, which are:
- Checking for various DLLs related to virtual software, such as Avast, COMODO AVs, Sandboxie, and 360 Total Security.
- Checking for Win32_PortConnector to ensure that the malware is running on a physical machine instead of a virtual one.
Nevertheless, it is suspected that the threat actor is still performing these functions, but in other advanced ways, including dynamic checking and encrypting functions like other areas of code.
The bottom line
The multi-function malware is being constantly developed by its operators who have added anti-VM checks and anti-debugging features too. LilithBot can steal cookies, screenshots, pictures, and browser history from infected systems. While it seems a dangerous threat, researchers have provided its IOCs that will help defenders detect the threat on their systems and find a proper way to stop it in its tracks.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/f9e7_shutterstock_1942562962.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/8561_shutterstock_1901430154.jpeg)
