Russia-Linked Cybercrime Group Hawks Combo of Malicious Services With LilithBot

  /     /     /  
Publicated : 23/11/2024   Category : security


Russia-Linked Cybercrime Group Hawks Combo of Malicious Services With LilithBot


The malware-as-a-service group Eternity is selling a one-stop shop for various malware modules its been distributing individually via a subscription model on Telegram.



An emerging Russia-linked threat group is ramping up its
malware-as-a-service
operation by packaging several of its modules into a multifunctional malware offering, dubbed LilithBot, that its peddling via Telegram.
The Eternity group — aka EternityTeam or Eternity Project — has been active since at least January and uses an as-a-service subscription model to distribute different Eternity-branded malware modules in underground forums. Its individual malicious offerings include a stealer, miner, botnet, ransomware, worm with a dropper, and distributed denial-of-service (DDoS) bot, researchers from Zscaler ThreatLabz revealed
in a blog post
published this week.
In a recently observed campaign, Eternity put a number of those modules together into one-stop shopping for these various payloads, Zscaler security researcher Shatak Jain and senior program manager Aditya Sharma wrote in the post. The threat actor is distributing the multifunctional LilithBot malware through its dedicated Telegram group and a Tor link.
In addition to its primary botnet functionality, it also had built-in stealer, clipper, and miner capabilities, the researchers wrote of the LilithBot campaign, which appears to have multiple variants.
The EternityTeam has links to the Russian Jester Group and offers a malware toolkit sold through a malware-as-a-service subscription service advertised via a dedicated Telegram channel, named @EternityDeveloper.
Other security companies have also studied the group.
Security firm Cyberint
in January identified the group and its various malware modules as an emerging force to be reckoned with on the underground cybercrime industry. In May,
research from security firm Sekoia.IO
 identified the group as a new prominent malware seller and provided analysis on the various tools in its arsenal.
Typically, EternityTeam offers different services individually — including a stealer, miner, clipper, ransomware, worm plus dropper, and DDoS Bot — and accepts payment through various cryptocurrencies, including Bitcoin, Ethereum, Monero, and Tether/USDT, among others.
Eternity also offers customized viruses and will create viruses with add-on features upon customer request. The price of the various malware the group sells ranges from US$90 to $470, with its ransomware product priced the highest.
The cybercrime group runs a tight ship: Its business is extremely user-friendly for a number of reasons, the Zscaler researchers noted. Its easy for cybercriminals to purchase and operate via Tor, and the service accepts crypto as payment; its customizable to fit clients needs; and its regularly updated at no additional charge, they said. The group also offers add-on discounts and referral rewards to its customers.
As legitimate businesses often see the value in bundling services together, so do cybercrime operators. LilithBot is an example of this practice, with Eternity selling the multifunctional malware as a subscription, similar to how it distributes its individual malware-as-a-service modules.
There are plenty of other examples of attackers distributing malware that relies not on one core competency but a combined range of malicious functionality in one package. The
Chaos malware
is one example of this, having
evolved recently
from its original ransomware builder into a DDoS and cryptomining tool.
Though LilithBot is different in that it is starting out as a combination of a threat groups existing services rather than evolving into a new type of malware, its similar in that it packs a malicious, multifunctional punch.
LilithBot initiates its nefarious activity by registering as a botnet on an affected system and then decrypts itself step by step to drop its configuration file, the researchers said. It goes on to steal files and user information, which it then uploads via a zip file to a command-and-control (C2) server using the Tor network. LilithBot also uses fake certificates to bypass detections and deliver its various functionality as a stealer, cryptominer, and clipper.
Zscaler researchers observed two variants of LilithBot being distributed by Eternity, with slight differences in the main functions of each release, they said. Specifically, some commands that were present in earlier variants were absent from the newest variant that researchers analyzed.
The latest version of LilithBot no longer checks for the presence of various DLLs related to virtual software like Sandboxie, 360 Total Security, Avast, and COMODO Avs, nor for the Win32_PortConnector that represents physical connection ports such as DB-25 pin male, Centronics, or PS/2 to ensure the malware is running on a physical machine rather than a virtual one.
It is likely that the group is still performing these functions, the researchers wrote, but doing so in more sophisticated ways: such as performing it dynamically, encrypting the functions like other regions of code, or using other advanced tactics.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Russia-Linked Cybercrime Group Hawks Combo of Malicious Services With LilithBot