430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

LilithBot Malware, a new MaaS offered by the Eternity Group

Researchers linked the threat actor behind the Eternity malware-as-a-service (MaaS) to a new malware strain called LilithBot. Zscaler researchers linked a recently discovered sample of a new malware called LilithBot to the Eternity group (aka EternityTeam; Eternity Project). The Eternity group operates a homonymous malware-as-a-service (MaaS), it is linked to the Russian “Jester Group,” which is […]

Eternity Project malware

Researchers linked the threat actor behind the Eternity malware-as-a-service (MaaS) to a new malware strain called LilithBot.

Zscaler researchers linked a recently discovered sample of a new malware called LilithBot to the Eternity group (aka EternityTeam; Eternity Project). The Eternity group operates a homonymous malware-as-a-service (MaaS), it is linked to the Russian “Jester Group,” which is active since at least January 2022.

In May, researchers at cybersecurity firm Cyble analyzed a Tor website named named ‘Eternity Project’ that offers for sale a broad range of malware, including stealers, miners, ransomware, and DDoS Bots.

The experts discovered the marketplace during a routine investigation, they also discovered that its operators also have a Telegram channel with around 500 subscribers. The channel was used to share information about malware listings and updates.

Eternity Project malware

The operators behind the project allow their customers to customize the binary features through the Telegram channel.  

The operators sell the Stealer module for $260 as an annual subscription, it allows to steal a lot of sensitive information from infected systems, including passwords, cookies, credit cards, and crypto-wallets. Stolen data are exfiltrated via Telegram Bot.

The Eternity Miner module goes for $90 as an annual subscription, customers can customize it with their own Monero pool and AntiVM features. The Eternity operators also sells the clipper malware for $110, it monitors the clipboard for cryptocurrency wallets and replaces them with the wallet address of the attackers,

The Eternity Ransomware goes for $490 while the Eternity Worm is available for $390.

According to Cyble, the operators behind the Eternity Project are also developing a DDoS Bot malware borrowing code from the existing Github repository. The experts speculate that the Jester Stealer could also be rebranded from this particular Github project which indicates some links between the two Threat Actors.

“ThreatLabz recently discovered a sample of the multi-function malware LilithBot in our database. Further research revealed that this was associated with the Eternity group (a.k.a. EternityTeam; Eternity Project), a threat group linked to the Russian “Jester Group,” that has been active since at least January 2022.” reads the report published by Zscaler. “Eternity uses an as-a-service subscription model to distribute different Eternity-branded malware modules in underground forums, including a stealer, miner, botnet, ransomware, worm+dropper, and DDoS bot.” 

LilithBot is an advanced malware distributed by the Eternity group via a dedicated Telegram channel and can be purchased via Tor. It is a flexible threat that can be used as a miner, stealer, and clipper.

The threat actors are continuously enhancing the malware by adding new features, including as anti-debugging capabilities and anti-VM checks. 

LilithBot is able to steal all the information (browser history, cookies, pictures, and screenshots) from infected systems, then uploads itself as a zip file to Command and Control.

LilithBot is a multifunctional malware that is also offered through a MaaS model.

The report includes technical details about the threat and Indicators of Compromise (IOCs) along with MITRE ATT&CK.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, LilithBot)

[adrotate banner=”5″]

[adrotate banner=”13″]