Analysis of LilithBot Malware and Eternity Threat Group

Introduction

ThreatLabz recently discovered a sample of the multi-function malware LilithBot in our database. Further research revealed that this was associated with the Eternity group (a.k.a. EternityTeam; Eternity Project), a threat group linked to the Russian “Jester Group,” that has been active since at least January 2022. Eternity uses an as-a-service subscription model to distribute different Eternity-branded malware modules in underground forums, including a stealer, miner, botnet, ransomware, worm+dropper, and DDoS bot. 

The LilithBot we discovered was being distributed through a dedicated Telegram group and a Tor link that provided one-stop-shopping for these various payloads. In addition to its primary botnet functionality, it also had built-in stealer, clipper, and miner capabilities. In this blog, we’ll provide a deep analysis of the LilithBot campaign, including a look at several variants.

 

Key Features of this Attack

• Threat groups have been enhancing their capabilities and selling them as Malware-as-a-Service (MaaS) in exchange for a membership fee. One such cyber criminal group, dubbed “Eternity,” has been found selling the malware “LilithBot”
• “LilithBot” is distributed by Eternity via a dedicated Telegram channel from which we can purchase it via Tor. It has advanced capabilities to be used as a miner, stealer, and a clipper along with its persistence mechanisms.
• The group has been continuously enhancing the malware, adding improvements such as anti-debug and anti-VM checks. 
• The malware registers itself on the system and decrypts itself step by step, dropping its configuration file.  
• LilithBot uses various types of fields such as license key, encoding key, and GUID which is encrypted via AES and decrypts itself at runtime.
• It steals all the information and uploads itself as a zip file to its Command and Control.

 

Summary 

In July 2022, Zscaler’s ThreatLabz threat research team identified a multifunctional malware bot known as LilithBot, sold on a subscription basis by the Eternity group. In this campaign, the threat actor registers the user on its botnet and steals files and user information by uploading it to a command-and-control (C2) server using the Tor network. In this campaign, the malware uses fake certificates to bypass detections; it acts as a stealer, miner, clipper, and botnet. 

In this blog, ThreatLabz will explain various aspects of the LilithBot threat campaign.

 

About Eternity

Eternity Project is a malware toolkit which is sold as a malware-as-a-service (MaaS). These malware are distributed via the Tor proxy. Eternity advertises via a dedicated Telegram channel named @EternityDeveloper and has an email address of eternity@onionmail[.]org. They have different types of services:

• Stealer
• Miner
• Clipper
• Ransomware
• Worm+Dropper
• DDoS Bot

Eternity usually operates via Telegram and accepts payments through popular cryptocurrencies including BTC, ETH, XMR, USDT, LTC, DASH, ZEC and DOGE. 

They provide customized viruses and will create viruses with add-on features if the customer desires.The price of the malware ranges from $90-$470 USD.

The below screenshot of the Eternity Telegram channel illustrates the regular updates and enhancements the group makes to their products.

 

Fig 1. Eternity Telegram Channel

 

The Telegram channel is dubbed “Eternity Channel.” Basic account details are shown below.  

 Fig 2. Telegram Home Page

 

The Eternity group regularly directs clients to their dedicated Tor link, in which their various malware and their features are laid out in detail. 

 

Fig 3. Tor link mentioned in Telegram 

 

The Tor link leads to the below homepage, which explains the various products and modules available for purchase. 

Fig 4. Tor site for Eternity group

 

The highest priced product for sale is their Ransomware, described in the below screenshot. The ransomware encrypts documents and files of the targeted user. The Tor page includes a dedicated video on how to generate the ransomware payload. 

                Fig 5. Features of payloads

In summary, Eternity has a very user-friendly service that is: 

• Easy to purchase and operate via Tor, with a wide range of popular crypto currencies accepted for payment.
• Customizable to fit clients’ specific needs.
• Regularly updated at no additional charge. They also offer many add-on discounts and referral rewards to their customers.

 

Comparison Between Two Variants

As the LilithBot malware has evolved, we have observed slight differences in the main function of different releases.

Several commands that were present in earlier variants are not present in the newest variant that we have received. These functions include:

• Checking for the presence of various DLLs by iterating via arraylist and returning a Boolean value.The DLLs mentioned are related to virtual software like Sandboxie, 360 Total Security, Avast, and COMODO AVs.
• Checking for Win32_PortConnector which represents physical connection ports such as DB-25 pin male, Centronics, or PS/2. This ensures that it’s on a physical machine rather than a virtual machine.

                Fig 6. Comparison between variants

 

It is likely that the group is still performing these functions, but doing so in more sophisticated ways: such as performing it dynamically, encrypting the functions like other regions of code, or using other advanced tactics.  

 

Technical Analysis

The entry point starts with registration of the bot. The malware initially checks with a Mutex named “8928a2d3-173b-43cb-8837-0e2e88b6d3b1” and subsequently checks for a file in the Startup folder. 

It then copies the same into the Startup folder if the file does not exist. The function StartupFilename then checks whether a file has been created which with an extension of “.exe”,”.com” or “.scr”; if not, it will append “.exe” to the filename and add this filename in the Startup path.

 

Fig 7.  Mutex Creation

Fig 8. Checks Startup Files

 

The image below shows that the bot has successfully registered when the response to the decrypted data has the string “registered successfully” present in the register bot function, when checking the array data value.

Fig 9. Steals User Information

 

 

Fig 10. Registered Successfully

 

The Initialize function can be used to extract the value of different fields in a config file, as shown below. After decrypting the aes cipher, we can see all the important fields present in the config file. The following are the fields present inside the config file:

 

    "Lilith": {

        "CommandsCheckInterval": 14

    },

    "BotKiller": {

        "Enabled": false

    },

    "Stealer": {

        "Enabled": true

    },

    "Clipper": {

        "Enabled": true,

        "Addresses": {

            "XMR": "493eic71yTX23KnxuC1FimhkW5kEv1G2aMcE1spdBYot5BLo2ZdDbUcPCLdXMQPgLpgkNxLH4FWDRLjcdxmvG6ba4D8saKg",

            "BTC": "bc1qd8e4maz97mv23slmgg7d4je2mydslkl5m56vdz",

            "ETH": "0xFf7f57a2c7952fD9550A5E0FE53d4F104886403A"

        }

    },

    "Miner": {

        "Enabled": false,

        "Pool": "pool.minexmr.com:4444",

        "Wallet": "493eic71yTX23KnxuC1FimhkW5kEv1G2aMcE1spdBYot5BLo2ZdDbUcPCLdXMQPgLpgkNxLH4FWDRLjcdxmvG6ba4D8saKg",

        "Password": "x",

        "MaxCPU": "40"

    }

 

 

Fig 11. Decrypted Config File Found in memory

 

We also came across a function that confirms the malware is using its own decrypting mechanism so that it can’t be decrypted manually. 

All the encrypted data goes through the function “DecryptBytesToString” on which we can extend our breakpoint to know all the values of the decrypting data using dynamic analysis.

We can see that the C2 server has the IP address: 77.73.133[.]12 with the port no. 4545 with the api gate/ and which expects certain arguments for field {0} and {1}. The key and data are hidden inside the Hex array which we can see in the memory dump. 

We can decrypt the encoded key which translates to the value c4d8c7f433c1e79afe4eff3a4b05c7c9. 

We also observed a license key field which has the value 59BE0ABAF3BC570D8F6F88A597C64B85. This is the decrypting function; the below image shows the decrypted text for the corresponding values.

              Fig 12. Decrypted License Key and Encoded Key 

The sample also defines a function which gets the response of the body. If the response is not null, it then checks to make sure both the C2 server and the target’s network are online. Then, it will then generate the GET request by checking a few permissions.

The malware further checks whether the hostname contains the onion domain. After checking the permissions, it downloads the Tor bundle and connects to the IP. The Upload File function combines the hostname with the client, name of the file, and directory as parameters.

 

Fig 13. Checks if bot is online or offline

 

Network Artifacts

 

LilithBot malware shows 3 requests to the Host ip:77.73.133[.]12 with port 4545.The user agent shows the relation of the malware with LilithBot.

The first request is to register the bot with  /registerBot API with the mutex name prepended.

Fig 14. Sends Request to Register Bot

 

The second request is an API to download the file contents according to the plugin settings ‘admin_settings_plugin.json’.

 

Fig 15. Requests plugin settings

 

We see another request to upload the file in a ZIP format named as “report.zip” with dir parameter as ‘Stealer’. The zip file contains multiple directories that store information typical of a stealer, including the browser history, cookies, and personal information such as pictures stored in the C:\Users\[user]\Pictures folder, and much more.

 

Fig 16.   Uploads report file

   

 

Fig 17. Contents inside Report.zip

 

Fake Certificates 

A legitimate Microsoft-signed file is issued by the “Microsoft Code Signing PCA” certificate authority, and will also display a countersignature from Verisign. However, we have seen that the fake certificates in LilithBot have no countersignature, and appears to have been issued by “Microsoft Code Signing PCA 2011” which was not verified.

Fig 18. Fake certificate issued by Microsoft

 

Sandbox Report

Fig 19. Zscaler Sandbox report

 

Zscaler's multilayered cloud security platform detects indicators, as shown below:

Win64.PWS.LilithBot

 

MITRE ATT&CK

 

 

Indicators of Compromise (IOCs)