The FIN7 APT group, based in Eastern Europe, is alleged to be responsible for payment card breaches involving well-known brands Chipotle, Chili’s, Arby’s and Red Robin. FIN7 exploits financial institutions and payment terminals. Specifically, they target restaurants, gambling, and hospitality-oriented entertainment venues. The estimated value of the attacks is $900 million. Researchers believe FIN7 APT group is distributing Lizar malware, claimed to be an ethical hacking tool.

What Is It?

The FIN7 APT has been successful utilizing its Cabana RAT (Remote Access Trojan) to compromise various financial institutions and payment terminals. In April 2021, a senior member of FIN7, a Ukrainian national, was sentenced to 10 years in prison.

FIN7 has previously utilized a front company, Combi Security, to appear reputable. The company allegedly had offices in Moscow and Haifa, Israel; and advertised for penetration testers to recruit for seemingly legitimate roles. One job advertisement on a Ukrainian job board stated that Combi Security had 21-80 employees, and that the company was “one of the leading international companies in the field of information security”. It is conceivable that some of the ethical hackers hired by Combi Security believed their roles and their assignments were genuine.

Research published by BI.ZONE suggests that FIN7 have returned to their previous modius operandi, by distributing Lizar. Lizar claims to be a genuine ethical hacking tool for Microsoft Windows networks, but is in-fact the latest evolution of their backdoor. Researchers believe FIN7 is still hiring individuals who are likely not aware the tool is malware; and that they are employed by a cyber-criminal enterprise.

The Lizar backdoor toolkit has been observed in the wild since late February 2021, mainly associated with infected systems across the United States, though victims have also been seen in Germany and Panama. Organizations infected include educational institutions and pharmaceutical, gambling and finance companies. Lizar is believed to be under active development, and more attacks utilizing this malware are anticipated.

Conceptually, the Lizar backdoor toolkit is similar to Carbanak and uses a modular architecture. The modular approach allows for ease of development and addition of new functionality. The main components are a loader and a series of plugins, which together operate as a malicious bot. The functions of the plugins include loading existing tools such as Mimikatz or Carbanak itself to take screenshots and exfiltrate various sensitive information and credentials. Communication between the backdoor and server is encrypted, the encryption key is specified in the configuration and must match the key on the server, otherwise the communication is ignored.  

How Does FIN7 Propagate Lizar?

The malware does not contain the necessary code to self-propagate. Lizar claims to be an ethical hacking tool for Windows networks, in an effort to have it deployed on target networks.

When/How Did BluVector Detect It?

Sixteen samples related to Lizar are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average 64 months prior to their release.