June 6, 2023

A recently discovered sample of a new malware called LilithBot is linked to the Eternity group. The Eternity group operates a homonymous malware-as-a-service, linked to the Russian Jester Group.

Eternity Project a TOR project was analyzed, that offers for sale a broad range of malware, including stealers, miners, ransomware, and DDoS Bots. Also discovered that its operators also have a Telegram channel with around 500 subscribers. The channel was used to share information about malware listings and updates.

Advertisements

The operators behind the project allow their customers to customize the binary features through the Telegram channel, selling the Stealer module for $260 as an annual subscription, it allows to steal a lot of sensitive information from infected systems, including passwords, cookies, credit cards, and crypto-wallets. Stolen data are exfiltrated via Telegram Bot.

The Eternity operators also sells the clipper malware for $110, it monitors the clipboard for cryptocurrency wallets and replaces them with the wallet address of the attackers. The Eternity Ransomware goes for $490 while the Eternity Worm is available for $390.

A DDoS Bot malware also under development, for borrowing code from the existing GitHub repository. The experts speculate that the Jester Stealer could also be rebranded from this GitHub project which indicates some links between the two Threat Actors.

LilithBot is an advanced malware distributed by the Eternity group via a dedicated Telegram channel and can be purchased via Tor. It is a flexible threat that can be used as a miner, stealer, and clipper.

Advertisements

The threat actors are continuously enhancing the malware by adding new features, including as anti-debugging capabilities and anti-VM checks.

LilithBot can steal all the information from infected systems, then uploads itself as a zip file to Command and Control.it is a multifunctional malware that is also offered through a MaaS model.

This research was documented by researchers from ZScaler

Indicators Of Compromise

  • 0ebe8de305581c9eca37e53a46d033c8 
  • 1cae8559447370016ff20da8f717db53 
  • e793fcd5e44422313ec70599078adbdc
  • 65c0241109562662f4398cff77499b25 
  • 77.73.133.12
  • 45.9.148.203
  • 91.243.59.210
  • 195.2.71.214
Tags:

Leave a Reply

You may have missed

Byte Code Bites PYPI

Byte Code Bites PYPI

June 5, 2023
Enzo Biochem Suffers a Data Breach

Enzo Biochem Suffers a Data Breach

June 5, 2023
BlackSuit Ransomware Dissection

BlackSuit Ransomware Dissection

June 4, 2023
TheCyberThrone CyberSecurity Newsletter Top 5 Articles – May, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – May, 2023

June 4, 2023
Cisco buys Armorblox

Cisco buys Armorblox

June 3, 2023
CISA KEV Update Part I – May 2023

CISA KEV Update Part I – May 2023

June 3, 2023
%d bloggers like this: