From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit

A few words about FIN7

Figure 1. Carbanak backdoor version 3.7.4 interface
Figure 1. Carbanak backdoor version 3.7.4 interface

Lizar toolkit architecture

Table 1. Essence and purpose of Lizar components
Figure 2. Schematic of the Lizar toolkit operation

Lizar client

  • client.ini.xml — XML configuration file;
  • client.exe — client's main executable;
  • libwebp_x64.dll — 64-bit version of libwebp library;
  • libwebp_x86.dll — 32-bit version of libwebp library;
  • keys — a directory with the keys for encrypting traffic between the client and the server;
  • plugins/extra — plugin directory (in practice only some plugins are present in this directory, the rest are located on the server);
  • rat — directory with the public key from Carbanak (this component has been added in the latest version of Lizar).
Table 2. Configuration file structure: elements and their descriptions
Table 3. Characteristics of client.exe
Figure 3. Lizar client version 2.0.4 interface
Figure 4. List of commands supported by the Lizar client
  • Info — retrieve information about the system. The plugin for this command is located on the server. When a result is received from the plugin, the information is logged in the Info column.
  • Kill — stop plugin.
  • Period — change response frequency (Fig. 5).
Figure 5. Period command in the Lizar client GUI
  • Screenshot — take a screenshot (Fig. 6). The plugin for this command is located on the server. Once a screenshot is taken, it will be displayed in a separate window.
Figure 6. Screenshot command in the Lizar client GUI
  • List Processes — get a list of processes (Fig. 7). The plugin for this command is located on the server. If the plugin is successful, the list of processes will appear in a separate window.
Figure 7. List Processes command in the Lizar client GUI
  • Command Line — get CMD on the infected system. The plugin for this command is located on the server. If the plugin executes the command successfully, the result will appear in a separate window.
  • Executer — launch an additional module (Fig. 8).
Figure 8. Executer command in the Lizar client GUI
  • Jump to — migrate the loader to another process. The plugin for this command is located on the server. The command parameters are passed through the client.ini.xml file.
  • New session — create another loader session (run a copy of the loader on the infected system).
  • Mimikatz — run Mimikatz.
  • Grabber — run one of the plugins that collect passwords in browsers and OS. The Grabber tab has two buttons: Passwords + Screens and RDP (Fig. 9). Activating either of them sends a command to start the corresponding plugin.
Figure 9. Grabber command in the Lizar client GUI
  • Network analysis — run one of the plugins to retrieve Active Directory and network information (Fig. 10).
Figure 10. Network analysis command in the Lizar client GUI
  • Rat — run Carbanak (RAT). The IP address and port of the server and admin panel are set via the client.ini.xml configuration file (Fig. 11).
Figure 11. Rat command in the Lizar client GUI

Lizar server

  • client/keys — directory with encryption keys for proper communication with the client;
  • loader/keys — directory with encryption keys for proper communication with the loader;
  • logs — directory with server logs (client-traffic, error, info);
  • plugins — plugin directory;
  • ThirdScripts — directory with the ps2x.py script and the ps2p.py helper module. The ps2x.py script is designed to execute files on the remote host and is implemented using the Impacket project. Command templates for this script are displayed in the client application when the appropriate option is selected.
  • x64 — directory containing the SQLite.interop.dll auxiliary library file (64-bit version).
  • x86 — directory containing the SQLite.interop.dll auxiliary library file (32-bit version).
  • AV.lst — a CSV file containing the name of the process which is associated with the antivirus product, the name and description of the antivirus product.
  • data.db — a database file containing information on all loaders (this information is loaded into the client application).
  • server.exe — server application.
  • server.ini.xml — server application configuration file.
  • System.Data.SQLite.dll — auxiliary library file.

Communication between client and server

Figure 12. Example of decrypted data transmitted from server to client

Lizar loader

Figure 13. Loader’s main function pseudocode
Figure 14. Pseudocode for retrieving system information and calculating its checksum
Figure 15. Pseudocode algorithm for decrypting data received from the server and sending it for processing
Figure 16. Pseudocode of the algorithm for decrypting data received from the server
Figure 17. Pseudocode of the function that generates the structure sent to the server

plugins from plugins directory

  1. The user selects a command in the Lizar client application interface.
  2. The Lizar server receives the information about the selected command.
  3. Depending on the command and loader bitness, the server finds a suitable plugin from the plugins directory, then sends the loader a request containing the command and the body of the plugin (e.g., Screenshot{bitness}.dll).
  4. The loader executes the plugin and stores the result of the plugin’s execution in a specially allocated area of memory on the heap.
  5. The server retrieves the results of plugin execution and sends them on to the client.
  6. The client application displays the plugin results.
  • CommandLine32.dll
  • CommandLine64.dll
  • Executer32.dll
  • Executer64.dll
  • Grabber32.dll
  • Grabber64.dll
  • Info32.dll
  • Info64.dll
  • Jumper32.dll
  • Jumper64.dll
  • ListProcess32.dll
  • ListProcess64.dll
  • mimikatz32.dll
  • mimikatz64.dll
  • NetSession32.dll
  • NetSession64.dll
  • rat32.dll
  • rat64.dll
  • Screenshot32.dll
  • Screenshot64.dll

CommandLine32.dll/CommandLine64.dll

Figure 18. CommandLine32.dll/CommandLine64.dll main function pseudocode

Executer32.dll/Executer64.dll

  • EXE file from the %TEMP% directory;
  • PowerShell script from the %TEMP% directory, which is run using the following command: {path to powershell.exe} -ex bypass -noprof -nolog -nonint -f {path to the PowerShell script};
  • DLL in memory;
  • shellcode.
Figure 19. Executer32.dll/Executer64.dll code running shellcode

Grabber32.dll/Grabber64.dll

Info32.dll/Info64.dll

Figure 20. Pseudocode snippet responsible for conversion of the received structure into a special string on the server

Jumper32.dll/Jumper64.dll

Figure 21. Jumper32.dll/Jumper64.dll main function pseudocode
  • by performing an injection into the process with a certain PID;
  • by creating a process with a certain name and performing an injection into it;
  • by creating a process with the same name as the current one and performing an injection into it.
  1. OpenProcess — The plugin retrieves the process handle for the specified process identifier (PID).
  2. VirtualAllocEx + WriteProcessMemory — the plugin allocates memory in the virtual address space of the specified process and writes in it the contents to be executed afterwards.
  3. CreateRemoteThread — the plugin creates a thread in the virtual address space of the specified process, with the lpStartAddress serving as the main function of the loader.
Figure 22. Pseudocode for a function to create a thread in the virtual address space of the specified process
  • If the appropriate flag is set in the structure passed to the plugin, the plugin creates a process in the security context of the explorer.exe process (Fig. 23).
Figure 23. Running an executable in the security context of explorer.exe
  • If the flag is not set, the executable file is started by calling the CreateProcessA function (Fig. 24).
Figure 24. Calling CreateProcessA process
  • in case of the 64-bit process, a function is started with another function, shown in Fig. 25;
Figure 25. Pseudocode of the algorithm for injecting into a 64-bit process
  • in case of the 32-bit process, a function is started using the CreateRemoteThread and RtlCreateUserThread functions, which create a thread in the virtual address space of the specified process.
  1. The plugin retrieves the path to the executable file for the process in the address space of which it is running.
  2. The plugin launches this executable file and injects it into the created process.
Figure 26. Pseudocode for injecting Jumper32.dll/Jumper64.dll into the same process

ListProcesses32.dll/ListProcesses64.dll

Figure 27. Retrieving information about each active process
Figure 28. Inserting the retrieved information to be sent to the server at a later time
  • process identifier;
  • path to the executable file;
  • information about the user running the process.

mimikatz32.dll/mimikatz64.dll

  • powerkatz_full32.dll
  • powerkatz_full64.dll
  • powerkatz_short32.dll
  • powerkatz_short64.dll

NetSession32.dll/NetSession64.dll

Figure 29. Retrieving network session information using WinAPI functions
Figure 30. Inserting the information retrieved by the plugin to be sent to the server

rat32.dll/rat64.dll

Screenshot32.dll/Screenshot64.dll

Figure 31. The part of the function used to save a screenshot taken by the plugin to the stream

plugins from the plugins/extra directory

  • ADRecon.ps1
  • GetHash32.dll
  • GetHash64.dll
  • GetPass32.dll
  • GetPass64.dll
  • powerkatz_full32.dll
  • powerkatz_full64.dll
  • powerkatz_short32.dll
  • powerkatz_short64.dll
  • PswInfoGrabber32.dll
  • PswInfoGrabber64.dll
  • PswRdInfo64.dll

ADRecon

GetHash32/GetHash64

Figure 32. Pseudocode of the exported Entry function for the GetHash plugin
Figure 33. Buffer contents when running the plugin without SYSTEM permissions
Figure 34. Mimikatz output when running lsadump::sam without SYSTEM permissions
Figure 35. Buffer contents when running the plugin with SYSTEM permissions
Figure 36. Result of lsadump::sam command from mimikatz with SYSTEM permissions

GetPass32/GetPass64

Figure 37. Exportable Entry function pseudocode
Figure 38. Result of the sekurlsa::logonpasswords command

powerkatz_full32/powerkatz_full64

powerkatz_short32/powerkatz_short64

  • kuhl_m_acr_clean;
  • kuhl_m_busylight_clean;
  • kuhl_m_c_rpc_clean;
  • kuhl_m_c_rpc_init;
  • kuhl_m_c_service_clean;
  • kuhl_m_crypto_clean;
  • kuhl_m_crypto_init;
  • kuhl_m_kerberos_clean;
  • kuhl_m_kerberos_init;
  • kuhl_m_vault_clean;
  • kuhl_m_vault_init;
  • kull_m_busylight_devices_get;
  • kull_m_busylight_keepAliveThread.

PswInfoGrabber32.dll/PswInfoGrabber64.dll

  • browser history from Firefox, Google Chrome, Microsoft Edge and Internet Explorer;
  • usernames and passwords stored in the listed browsers;
  • email accounts from Microsoft Outlook and Mozilla Thunderbird.
Figure 39. Dynamic retrieval of function addresses from nss3.dll library

PswRdInfo64.dll

(WTSQuerySessionInformationW)(0i64, SessionId, WTSUserName, &vpSessionInformationUserName, &pBytesReturned))

Conclusion

IoC

108.61.148.97
136.244.81.250
185.33.84.43
195.123.214.181
31.192.108.133
45.133.203.121
166b0c5e49c44f87886ecaad46e60b496b6b7512d1c57db41d9cf752fada95c8
188d76c31fa7f500799762237508203bdd1927ec4d5232cc189d46bc76b7a30d
1e5514e8f95dcf6dd7289acef6f6b88c460105660cb0c5b86ec7b854f70ee857
21850bb5d8df021e850e740c1899353f40af72f119f2cd71ad234e91c2ccb772
3b63eb184bea5b6515697ae3f13a57365f04e6a3309c79b18773291e62a64fcb
4d933b6b60a097ad5ce5876a66c569e6f46707b934ebd3c442432711af195124
515b94290111b7be80e001bfa2335d2f494937c8619cfdaafb2077d9d6af06fe
61cfe83259640df9f19df2be4b67bb1c6e5816ac52b8a5a02ee8b79bde4b2b70
fbd2d816147112bd408e26b1300775bbaa482342f9b33924d93fd71a5c312cce
a3b3f56a61c6dc8ba2aa25bdd9bd7dc2c5a4602c2670431c5cbc59a76e2b4c54
e908f99c6753a56440127e54ce990adbc5128d10edc11622d548ddd67e6662ac
7d48362091d710935726ab4d32bf594b363683e8335f1ee70ae2ae81f4ee36ca
e894dedb4658e006c8a85f02fa5bbab7ecd234331b92be41ab708fa22a246e25
b8691a33aa99af0f0c1a86321b70437efcf358ace1cf3f91e4cb8793228d1a62
bd1e5ea9556cb6cba9a509eab8442bf37ca40006c0894c5a98ce77f6d84b03c7
98fbccd9c2e925d2f7b8bcfa247790a681497dfb9f7f8745c0327c43db10952f
552c00bb5fd5f10b105ca247b0a78082bd6a63e2bab590040788e52634f96d11
21db55edc9df9e096fc994972498cbd9da128f8f3959a462d04091634a569a96

--

--

--

BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
BI.ZONE

BI.ZONE

BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age

More from Medium

Eternal Blue exploit and Persistence

HTB Blackfield Machine Walkthrough.

TFCCTF2021 — AAAAA [Forensic]

Reversing crackmes.one challenge — Trycrackme