Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Lizar
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Lizar
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Lizar

Lizar is a modular remote access tool written using the .NET Framework that shares structural similarities to Carbanak. It has likely been used by FIN7 since at least February 2021.(Citation: BiZone Lizar May 2021)(Citation: Threatpost Lizar May 2021)(Citation: Gemini FIN7 Oct 2021)
ID: S0681
Associated Software: Tirion
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 02 Feb 2022
Last Modified: 15 Apr 2022

Associated Software Descriptions
Name Description
Tirion (Citation: BiZone Lizar May 2021)(Citation: Gemini FIN7 Oct 2021)

Techniques Used
Domain ID Name Use
Enterprise T1087 .003 Account Discovery: Email Account

Lizar can collect email accounts from Microsoft Outlook and Mozilla Thunderbird.(Citation: BiZone Lizar May 2021)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Lizar has used PowerShell scripts.(Citation: BiZone Lizar May 2021)
.003 Command and Scripting Interpreter: Windows Command Shell

Lizar has a command to open the command-line on the infected system.(Citation: Threatpost Lizar May 2021)(Citation: BiZone Lizar May 2021)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Lizar has a module to collect usernames and passwords stored in browsers.(Citation: BiZone Lizar May 2021)
.004 Credentials from Password Stores: Windows Credential Manager

Lizar has a plugin that can retrieve credentials from Internet Explorer and Microsoft Edge using `vaultcmd.exe` and another that can collect RDP access credentials using the `CredEnumerateW` function.(Citation: BiZone Lizar May 2021)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Lizar can run Mimikatz to harvest credentials.(Citation: Threatpost Lizar May 2021)(Citation: BiZone Lizar May 2021)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Lizar has used the PowerKatz plugin that can be loaded into the address space of a PowerShell process through reflective DLL loading.(Citation: BiZone Lizar May 2021)

.002 Process Injection: Portable Executable Injection

Lizar can execute PE files in the address space of the specified process.(Citation: BiZone Lizar May 2021)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Lizar can search for processes associated with an anti-virus product from list.(Citation: BiZone Lizar May 2021)

Groups That Use This Software
ID Name References
G0046 FIN7

(Citation: Gemini FIN7 Oct 2021) (Citation: Threatpost Lizar May 2021)

References

  1. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
  2. Gemini Advisory. (2021, October 21). FIN7 Recruits Talent For Push Into Ransomware. Retrieved February 2, 2022.
  3. Seals, T. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.