December 1, 2022

TheCyberThrone

Thinking Security ! Always

LilithBot linked to Eternity Group


A recently discovered sample of a new malware called LilithBot is linked to the Eternity group. The Eternity group operates a homonymous malware-as-a-service, linked to the Russian Jester Group.

Eternity Project a TOR project was analyzed, that offers for sale a broad range of malware, including stealers, miners, ransomware, and DDoS Bots. Also discovered that its operators also have a Telegram channel with around 500 subscribers. The channel was used to share information about malware listings and updates.

Advertisements

The operators behind the project allow their customers to customize the binary features through the Telegram channel, selling the Stealer module for $260 as an annual subscription, it allows to steal a lot of sensitive information from infected systems, including passwords, cookies, credit cards, and crypto-wallets. Stolen data are exfiltrated via Telegram Bot.

The Eternity operators also sells the clipper malware for $110, it monitors the clipboard for cryptocurrency wallets and replaces them with the wallet address of the attackers. The Eternity Ransomware goes for $490 while the Eternity Worm is available for $390.

A DDoS Bot malware also under development, for borrowing code from the existing GitHub repository. The experts speculate that the Jester Stealer could also be rebranded from this GitHub project which indicates some links between the two Threat Actors.

LilithBot is an advanced malware distributed by the Eternity group via a dedicated Telegram channel and can be purchased via Tor. It is a flexible threat that can be used as a miner, stealer, and clipper.

Advertisements

The threat actors are continuously enhancing the malware by adding new features, including as anti-debugging capabilities and anti-VM checks.

LilithBot can steal all the information from infected systems, then uploads itself as a zip file to Command and Control.it is a multifunctional malware that is also offered through a MaaS model.

This research was documented by researchers from ZScaler

Indicators Of Compromise

  • 0ebe8de305581c9eca37e53a46d033c8 
  • 1cae8559447370016ff20da8f717db53 
  • e793fcd5e44422313ec70599078adbdc
  • 65c0241109562662f4398cff77499b25 
  • 77.73.133.12
  • 45.9.148.203
  • 91.243.59.210
  • 195.2.71.214
%d bloggers like this: