LilithBot, the newest multi-function malware in the wild

October 12, 2022
LilithBot Multifunction Malware MaaS Telegram Infostealer Trojan

Threat actors have launched a new multipurpose cybercrime service called LilithBot that benefits amateur hackers and advanced persistent threat groups. These threat actors also distributed the Eternity Project, which became a well-known Malware-as-a-Service (MaaS).

However, the threat actors launched the LilithBot as the new multi-function malware to replace Eternity. The Eternity group have then joined as an affiliate of the Russian Jester threat group.

 

The LilithBot malware is exclusive to Telegram.

 

According to researchers, the LilithBot malware is distributed through a specially developed Telegram channel, which anyone can acquire through a Tor download. Moreover, the researchers stated that the LilithBot malware could execute several tasks, such as stealing, mining, and clipping.

The malware also possesses an advanced persistent mechanism for a more sophisticated type of campaign. In addition, the malware registers on the systems and decrypts layer by layer for launching the configuration file.

LilithBot exploits multiple field types such as license key, encoding key, and AES-encrypted GUID. Subsequently, LilithBot could steal all contents and details from a targeted entity and uploads itself as a ZIP file to an attacker-controlled command-and-control server.

As of now, researchers have observed two strains of the malware with slight alterations and modifications between them. The most recent variant does not include several functions found in the older variant.

One ability of the older variant that is not present in the latest variant of LilithBot is the various DLLs connected to virtual software such as COMODO AVs, Avast, 360 Total Security, and Sandboxie.

Another ability only the previous version has is the reviewing feature for Win32_PortConnector. This feature ensures that the malware runs on a physical device instead of a virtual machine.

Unfortunately, experts still believe that the threat actor is using these capabilities, especially in advanced methods, such as dynamic checking and encryption.

This versatile malware is being improved by its authors constantly. They have also equipped these payloads with anti-debugging tools and anti-VM checks. The most notable features of LilithBot are stealing screenshots, photos, cookies, and browser history.

Researchers have already given several IOCs that could aid defenders in detecting the threat on their assigned systems. These IOCs have also found proper methods to stop this multi-function malware.

About the author