Lizar

Malware updated 7 months ago (2024-05-04T20:52:06.058Z)

Download STIX

Preview STIX

Lizar, also known as Tirion or Diceloader, is a malicious software developed by the threat group ITG14. It's designed to exploit and damage computers or devices, infiltrating systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operations, or hold data hostage for ransom. Lizar uses a CRC algorithm to create its hash, and has a variety of plugins, such as Jumper32/Jumper64.dll which can load payloads using different methods. Additionally, it contains functionality like ListProcesses32/ListProcesses64.dll plugin, which enumerates running processes and sends a list of process names and IDs back to the Command and Control (C2) server. The Domino Backdoor malware shares significant code overlap with Lizar, incorporating elements that appear in some of Lizar's plugins. This includes the ability to gather system information and send it to the C2, similar to Lizar’s Info32/Info64.dll plugin. The bot ID format used by Domino Backdoor is also similar to that generated by Lizar, which uses a checksum of system information combined with the process ID. However, unlike Lizar, Domino employs a custom algorithm that XORs multiple values together to create its hash. In May 2023, the notorious hacker group FIN7, also known as Sangria Tempest, reportedly used the Lizar backdoor to distribute Clop ransomware on victims' machines. These attacks also utilized custom PowerShell scripts to retrieve stored credentials from backup servers, gather system information, and establish a foothold in compromised hosts by executing Diceloader every time the device boots up. The script was used to reflectively load additional payloads into the system, specifically an embedded Lizar dynamic-link library (DLL).

Description last updated: 2024-05-04T19:37:16.091Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Diceloader is a possible alias for Lizar. Diceloader is a type of malware, short for malicious software, that is designed to infiltrate and damage computer systems. It can infect systems through various means such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal in	5
Tirion is a possible alias for Lizar. Tirion, also known as Lizar or DiceLoader, is a type of malware developed by the threat group ITG14, also known as FIN7. First reported in March 2020, Tirion has been observed in numerous ITG14 campaigns up until the end of 2022. This malicious software can infiltrate systems through suspicious down	4
Domino Backdoor is a possible alias for Lizar. The Domino Backdoor is a type of malware that has been linked to multiple threat groups, highlighting the complexity of tracking these actors and their operations. This malicious software, designed to exploit and damage computers or devices, can steal personal information, disrupt operations, or hol	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Malware

Loader

Payload

exploitation

Bot

Exploit

Cobalt Strike

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Domino Malware is associated with Lizar. Domino is a malicious software that infiltrated various systems, most notably IBM Domino Server and ESET Mail Security for IBM Domino, causing significant disruptions and data breaches. The malware was particularly potent due to its ability to exploit vulnerabilities in one system and trigger a domi	Unspecified	3
The Carbanak Malware is associated with Lizar. Carbanak is a notorious malware developed by the cybercrime collective known as FIN7, also referred to as Carbon Spider, Cobalt Group, and Navigator Group. The group, which has been active since 2012, is of Russian origin and has been particularly focused on exploiting the restaurant, gambling, and	Unspecified	3

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The FIN7 Threat Actor is associated with Lizar. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global	Unspecified	6
The Sangria Tempest Threat Actor is associated with Lizar. Sangria Tempest, also known as Carbon Spider, Elbrus, and FIN7, is a threat actor that has been active since 2013. In mid-November 2023, Microsoft observed Sangria Tempest using Storm-1113's EugenLoader delivered through malicious MSIX package installations. The group frequently targets the restaura	Unspecified	2
The ITG14 Threat Actor is associated with Lizar. ITG14, a threat actor identified in the cybersecurity industry, has recently been linked to malicious activities involving the Domino Backdoor. X-Force researchers have found substantial evidence connecting the Domino Backdoor to ITG14’s Carbanak Backdoor. The Domino Backdoor not only shares signifi	Unspecified	2

Source Document References

Information about the Lizar Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	LockBit, BlackCat, and Clop Prevail as Top RAAS Groups: Ransomware in 1H 2023
CERT-EU	2 years ago	Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware
CERT-EU	a year ago	FIN7 cybergang tied to April PaperCut attacks \| #ransomware \| #cybercrime – National Cyber Security Consulting
MITRE	2 years ago	FIN7 Backdoor Masquerades as Ethical Hacking Tool
SecurityIntelligence.com	2 years ago	Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
DARKReading	2 years ago	FIN7, Former Conti Gang Members Collaborate on 'Domino' Malware
Securityaffairs	2 years ago	The intricate relationships between the FIN7 group and members of the Conti gang
CERT-EU	2 years ago	Плодотворное сотрудничество бывших хакеров Conti с группировкой FIN7 привело к распространению вредоносов Domino и Nemesis
SecurityIntelligence.com	2 years ago	Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
CERT-EU	2 years ago	Ransomware gang exploiting unpatched Veeam backup products \| #ransomware \| #cybercrime – National Cyber Security Consulting
CERT-EU	2 years ago	FIN7 Hackers Caught Exploiting Recent Veeam Vulnerability
CERT-EU	2 years ago	Недавно обнаруженная уязвимость Veeam уже используется хакерами FIN7 для кражи конфиденциальных данных
CSO Online	2 years ago	Cybercrime group FIN7 targets Veeam backup servers
CERT-EU	2 years ago	Le groupe d'attaquants FIN7 cible les serveurs de sauvegarde Veeam - Le Monde Informatique
CERT-EU	2 years ago	FIN7 не сдается: хакеры вернулись с новым рансомваром Clop
Securityaffairs	a year ago	FIN7 gang returned and was spotted delivering Clop ransomware
CERT-EU	a year ago	FIN7 cybercrime syndicate uses Clop ransomware in new wave of attacks