{ "id": "a7d98958-f96c-438b-bc90-6978a3592052", "created_at": "2026-04-06T00:13:04.139934Z", "updated_at": "2026-04-10T03:35:52.973094Z", "deleted_at": null, "sha1_hash": "25f76af6c8d919c23e9945a3cfd475d4318decca", "title": "From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s…", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 8155409, "plain_text": "From pentest to APT attack: cybercriminal group FIN7 disguises\r\nits malware as an ethical hacker’s…\r\nBy BI.ZONE\r\nPublished: 2021-05-13 · Archived: 2026-04-05 17:31:57 UTC\r\nThe article was prepared by BI.ZONE Cyber Threats Research Team\r\nThis is not the first time we have come across a cybercriminal group that pretends to be a legitimate organisation\r\nand disguises its malware as a security analysis tool. These groups hire employees who are not even aware that\r\nthey are working with real malware or that their employer is a real criminal group.\r\nOne such group is the infamous FIN7 known for its APT attacks on various organisations around the globe.\r\nRecently they developed Lizar (formerly known as Tirion), a toolkit for reconnaissance and getting a foothold\r\ninside infected systems. Disguised as a legitimate cybersecurity company, the group distributes Lizar as a\r\npentesting tool for Windows networks. This caught our attention and we did some research, the results of which\r\nwe will share in this article.\r\nA few words about FIN7\r\nThe APT group FIN7 was presumably founded back in 2013, but we will focus on its activities starting from 2020:\r\nthat’s when cybercriminals focused on ransomware attacks.\r\nFIN7 compiled a list of victims by filtering companies by revenue using the Zoominfo service. In 2020–2021, we\r\nsaw attacks on an IT company headquartered in Germany, a key financial institution in Panama, a gambling\r\nestablishment, several educational institutions and pharmaceuticalcompanies in the US.\r\nFor quite some time, FIN7 members have been using the Carbanak backdoor toolkit for reconnaissance purposes\r\nand to gain a foothold on infected systems, you can read about it in the series on FireEye’s blog (posts: 1, 2, 3, 4).\r\nWe repeatedly observed the attackers attempting to masquerade as Check Point Software Technology and\r\nForcepoint.\r\nAn example of this can be seen in the interface of Carbanak backdoor version 3.7.4, referencing Check Point\r\nSoftware Technology (Fig. 1).\r\nPress enter or click to view image in full size\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 1 of 33\n\nFigure 1. Carbanak backdoor version 3.7.4 interface\r\nA new malware package, Lizar, was recently released by the criminals.\r\nA report on Lizar version 1.6.4 was previously published online, so we decided to investigate the functionality of\r\nthe newer version, 2.0.4 (compile date and time: Fri Jan 29 03:27:43 2021 ), which we discovered in February\r\n2021.\r\nLizar toolkit architecture\r\nThe Lizar toolkit is structurally similar to Carbanak. The components we found are listed in Table 1.\r\nLizar loader and Lizar plugins run on an infected system and can logically be combined into the Lizar bot\r\ncomponent.\r\nFigure 2 shows how Lizar’s tools function and interact.\r\nPress enter or click to view image in full size\r\nFigure 2. Schematic of the Lizar toolkit operation\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 2 of 33\n\nLizar client\r\nLizar client consistes of the following components:\r\nclient.ini.xml — XML configuration file;\r\nclient.exe — client's main executable;\r\nlibwebp_x64.dll — 64-bit version of libwebp library;\r\nlibwebp_x86.dll — 32-bit version of libwebp library;\r\nkeys — a directory with the keys for encrypting traffic between the client and the server;\r\nplugins/extra — plugin directory (in practice only some plugins are present in this directory, the rest are\r\nlocated on the server);\r\nrat — directory with the public key from Carbanak (this component has been added in the latest version\r\nof Lizar).\r\nBelow is the content and description of the configuration file (Table 2).\r\nTable 3 shows the characteristics of the discovered client.exe file.\r\nFigure 3 is a screenshot of the interface of the latest client version we discovered.\r\nPress enter or click to view image in full size\r\nFigure 3. Lizar client version 2.0.4 interface\r\nThe client supports several bot commands. The way they look in the GUI can be seen in Fig. 4.\r\nPress enter or click to view image in full size\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 3 of 33\n\nFigure 4. List of commands supported by the Lizar client\r\nThis is what each of the commands does:\r\nInfo — retrieve information about the system. The plugin for this command is located on the server.\r\nWhen a result is received from the plugin, the information is logged in the Info column.\r\nKill — stop plugin.\r\nPeriod — change response frequency (Fig. 5).\r\nPress enter or click to view image in full size\r\nFigure 5. Period command in the Lizar client GUI\r\nScreenshot — take a screenshot (Fig. 6). The plugin for this command is located on the server. Once a\r\nscreenshot is taken, it will be displayed in a separate window.\r\nPress enter or click to view image in full size\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 4 of 33\n\nFigure 6. Screenshot command in the Lizar client GUI\r\nList Processes — get a list of processes (Fig. 7). The plugin for this command is located on the server.\r\nIf the plugin is successful, the list of processes will appear in a separate window.\r\nPress enter or click to view image in full size\r\nFigure 7. List Processes command in the Lizar client GUI\r\nCommand Line — get CMD on the infected system. The plugin for this command is located on the server.\r\nIf the plugin executes the command successfully, the result will appear in a separate window.\r\nExecuter — launch an additional module (Fig. 8).\r\nPress enter or click to view image in full size\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 5 of 33\n\nFigure 8. Executer command in the Lizar client GUI\r\nJump to — migrate the loader to another process. The plugin for this command is located on the server.\r\nThe command parameters are passed through the client.ini.xml file.\r\nNew session — create another loader session (run a copy of the loader on the infected system).\r\nMimikatz — run Mimikatz.\r\nGrabber — run one of the plugins that collect passwords in browsers and OS. The Grabber tab has two\r\nbuttons: Passwords + Screens and RDP (Fig. 9). Activating either of them sends a command to start the\r\ncorresponding plugin.\r\nPress enter or click to view image in full size\r\nFigure 9. Grabber command in the Lizar client GUI\r\nNetwork analysis — run one of the plugins to retrieve Active Directory and network information (Fig.\r\n10).\r\nPress enter or click to view image in full size\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 6 of 33\n\nFigure 10. Network analysis command in the Lizar client GUI\r\nRat — run Carbanak ( RAT ). The IP address and port of the server and admin panel are set via the\r\nclient.ini.xml configuration file (Fig. 11).\r\nPress enter or click to view image in full size\r\nFigure 11. Rat command in the Lizar client GUI\r\nWe skipped the Company computers command in the general list – it does not have a handler yet, so we cannot\r\ndetermine exactly what it does.\r\nLizar server\r\nThe Lizar server application, similar to the Lizar client, is written using the .NET Framework. However, unlike the\r\nclient, the server runs on a remote Linux host.\r\nDate and time of the last detected server version compilation: Fri Feb 19 16:16:25 2021 .\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 7 of 33\n\nThe application is run using the Wine utility with the pre-installed Wine Mono ( wine-mono-5.0.0-x86.msi ).\r\nThe server application directory includes the following components:\r\nclient/keys — directory with encryption keys for proper communication with the client;\r\nloader/keys — directory with encryption keys for proper communication with the loader;\r\nlogs — directory with server logs ( client-traffic , error , info );\r\nplugins — plugin directory;\r\nThirdScripts — directory with the ps2x.py script and the ps2p.py helper module. The ps2x.py script\r\nis designed to execute files on the remote host and is implemented using the Impacket project. Command\r\ntemplates for this script are displayed in the client application when the appropriate option is selected.\r\nFull list of arguments supported by the script.\r\nPress enter or click to view image in full size\r\nx64 — directory containing the SQLite.interop.dll auxiliary library file (64-bit version).\r\nx86 — directory containing the SQLite.interop.dll auxiliary library file (32-bit version).\r\nAV.lst — a CSV file containing the name of the process which is associated with the antivirus product,\r\nthe name and description of the antivirus product.\r\nSeveral lines from the AV.lst file:\r\ndata.db — a database file containing information on all loaders (this information is loaded into the client\r\napplication).\r\nserver.exe — server application.\r\nserver.ini.xml — server application configuration file.\r\nExample contents of the configuration file:\r\nPress enter or click to view image in full size\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 8 of 33\n\nSystem.Data.SQLite.dll — auxiliary library file.\r\nCommunication between client and server\r\nBefore being sent to the server, the data is encrypted on a session key with a length ranging from 5 to 15 bytes and\r\nthen on the key specified in the configuration (31 bytes). The encryption function is shown below.\r\nIf the key specified in the configuration (31 bytes) does not match the key on the server, no data is sent from the\r\nserver.\r\nTo verify the key on the side of the server, the client sends a checksum of the key, calculated according to the\r\nfollowing algorithm:\r\nData received from the server is decrypted on a session key with a length ranging from 5 to 15 bytes, then on the\r\nsame pair of session key and configuration key. Function for decryption:\r\nThe client and the server exchange data in binary format. The decrypted data is a list of bots (Fig. 12).\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 9 of 33\n\nFigure 12. Example of decrypted data transmitted from server to client\r\nLizar loader\r\nThe Lizar loader is designed to execute commands by running plugins, and to run additional modules. It runs on\r\nthe infected computer.\r\nAs we have already mentioned, Lizar loader and Lizar plugins run on the infected system and can logically be\r\ncombined into the Lizar bot component. The bot’s modular architecture makes the tool scalable and allows for\r\nindependent development of all components.\r\nWe’ve detected three kinds of bots: DLLs, EXEs and PowerShell scripts, which execute a DLL in the address\r\nspace of the PowerShell process.\r\nThe pseudocode of the main loader function, along with the reconstructed function structure, is shown in Fig. 13.\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 10 of 33\n\nPress enter or click to view image in full size\r\nFigure 13. Loader’s main function pseudocode\r\nThe following are some of the actions the x_Init function performs:\r\n1. Generate a random key g_ConfigKey31 using the function SystemFunction036 . This key is used to encrypt\r\nand decrypt the configuration data.\r\n2. Obtain system information and calculate the checksum from the information received (Fig. 14).\r\nPress enter or click to view image in full size\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 11 of 33\n\nFigure 14. Pseudocode for retrieving system information and calculating its checksum\r\n3. Retrieve the current process ID (the checksum and PID of the loader process are displayed in the Id column\r\nin the client application).\r\n4. Calculate the checksum from the previously received checksum and the current process ID (labelled g_BotId\r\nin Figure 13).\r\n5. Decrypt configuration data: list of IP addresses, list of ports for each server. Configuration data is decrypted on\r\n31-byte g_LoaderKey with XOR algorithm. After decryption, the data is re-encrypted on g_ConfigKey31 with\r\nan XOR algorithm. The g_LoaderKey is also used when encrypting data sent to the server and when decrypting\r\ndata received from the server.\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 12 of 33\n\n6. Initialise global variables and critical sections for some variables. This is needed to access data from different\r\nthreads.\r\n7. Initialise executable memory for plugin execution.\r\n8. Launch five threads which process the queue of messages from the server. This mechanism is implemented\r\nusing the PostQueuedCompletionStatus and GetQueuedCompletionStatus functions. Data received from the\r\nserver is decrypted and sent to the handler (Fig.15).\r\nPress enter or click to view image in full size\r\nFigure 15. Pseudocode algorithm for decrypting data received from the server and sending it for\r\nprocessing\r\nThe handler accepts data using the GetQueuedCompletionStatus function.\r\nThe vServerData→ServerData variable contains the plugin body after decryption (look again at Fig. 15). The\r\nalgorithm's pseudocode for decrypting data received from the server is shown in Fig. 16.\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 13 of 33\n\nFigure 16. Pseudocode of the algorithm for decrypting data received from the server\r\nBefore being sent to the server, the data structure has to pass through shaping as shown in Fig. 17.\r\nPress enter or click to view image in full size\r\nFigure 17. Pseudocode of the function that generates the structure sent to the server\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 14 of 33\n\nplugins from plugins directory\r\nThe plugins in the plugins directory are sent from the server to the loader and are executed by the loader when a\r\ncertain action is performed in the Lizar client application.\r\nThe six stages of the plugins’ lifecycle:\r\n1. The user selects a command in the Lizar client application interface.\r\n2. The Lizar server receives the information about the selected command.\r\n3. Depending on the command and loader bitness, the server finds a suitable plugin from the plugins\r\ndirectory, then sends the loader a request containing the command and the body of the plugin (e.g.,\r\nScreenshot{bitness}.dll ).\r\n4. The loader executes the plugin and stores the result of the plugin’s execution in a specially allocated area of\r\nmemory on the heap.\r\n5. The server retrieves the results of plugin execution and sends them on to the client.\r\n6. The client application displays the plugin results.\r\nA full list of plugins (32-bit and 64-bit DLLs) in the plugins directory.\r\nCommandLine32.dll\r\nCommandLine64.dll\r\nExecuter32.dll\r\nExecuter64.dll\r\nGrabber32.dll\r\nGrabber64.dll\r\nInfo32.dll\r\nInfo64.dll\r\nJumper32.dll\r\nJumper64.dll\r\nListProcess32.dll\r\nListProcess64.dll\r\nmimikatz32.dll\r\nmimikatz64.dll\r\nNetSession32.dll\r\nNetSession64.dll\r\nrat32.dll\r\nrat64.dll\r\nScreenshot32.dll\r\nScreenshot64.dll\r\nCommandLine32.dll/CommandLine64.dll\r\nThe plugin is designed to give attackers access to the command line interface on an infected system.\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 15 of 33\n\nSending commands to the cmd.exe process and receiving the result of the commands is implemented via pipes\r\n(Fig. 18).\r\nPress enter or click to view image in full size\r\nFigure 18. CommandLine32.dll / CommandLine64.dll main function pseudocode\r\nExecuter32.dll/Executer64.dll\r\nExecuter32.dll / Executer64.dll launches additional components specified in the Lizar client application\r\ninterface.\r\nGet BI.ZONE’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe plugin can run the following components:\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 16 of 33\n\nEXE file from the %TEMP% directory;\r\nPowerShell script from the %TEMP% directory, which is run using the following command: {path to\r\npowershell.exe} -ex bypass -noprof -nolog -nonint -f {path to the PowerShell script} ;\r\nDLL in memory;\r\nshellcode.\r\nThe plugin code that runs shellcode is shown in Fig. 19.\r\nPress enter or click to view image in full size\r\nFigure 19. Executer32.dll / Executer64.dll code running shellcode\r\nNote that the plugin file Executer64.dll contains the path to the PDB:\r\nM:\\paal\\Lizar\\bin\\Release\\Plugins\\Executer64.pdb .\r\nGrabber32.dll/Grabber64.dll\r\nContrary to its name, this plugin has no grabber functionality and is a typical PE loader.\r\nAlthough attackers call it a grabber, the loaded PE file actually performs the functions of other types of tools, such\r\nas a stealer.\r\nBoth versions of the plugin are used as client-side grabber loaders: PswRdInfo64 and PswInfoGrabber64 .\r\nInfo32.dll/Info64.dll\r\nThe plugin is designed to retrieve information about the infected system.\r\nThe plugin is executed by using the Info command in the Lizar client application. A data structure containing\r\nthe OS version, user name and computer name is sent to the server.\r\nOn the server side, the received structure is converted to a special string (Fig. 20).\r\nPress enter or click to view image in full size\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 17 of 33\n\nFigure 20. Pseudocode snippet responsible for conversion of the received structure into a special\r\nstring on the server\r\nJumper32.dll/Jumper64.dll\r\nThe plugin is designed to migrate the loader to the address space of another process. Injection parameters are set\r\nin the Lizar client configuration file. It should be noted that this plugin can be used not only to inject the loader,\r\nbut also to execute other PE files in the address space of the specified process.\r\nFigure 21 shows the main function of the plugin.\r\nPress enter or click to view image in full size\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 18 of 33\n\nFigure 21. Jumper32.dll / Jumper64.dll main function pseudocode\r\nFrom the pseudocode above we see that the loader can migrate to the address space of the specified process in\r\nthree ways:\r\nby performing an injection into the process with a certain PID;\r\nby creating a process with a certain name and performing an injection into it;\r\nby creating a process with the same name as the current one and performing an injection into it.\r\nLet’s take a closer look at each method.\r\nAlgorithm for injection by process ID\r\n1. OpenProcess — The plugin retrieves the process handle for the specified process identifier ( PID ).\r\n2. VirtualAllocEx + WriteProcessMemory — the plugin allocates memory in the virtual address space of\r\nthe specified process and writes in it the contents to be executed afterwards.\r\n3. CreateRemoteThread — the plugin creates a thread in the virtual address space of the specified process,\r\nwith the lpStartAddress serving as the main function of the loader.\r\nIf CreateRemoteThread fails, plugin uses the RtlCreateUserThread function (Fig. 22).\r\nPress enter or click to view image in full size\r\nFigure 22. Pseudocode for a function to create a thread in the virtual address space of the specified\r\nprocess\r\nInjection algorithm by executable file name\r\n1. The plugin finds the path to the system executable file to be injected. The location of this file depends on the\r\nbitness of the loader. 64-bit file is located in %SYSTEMROOT%\\System32 directory, 32-bit — in\r\n%SYSTEMROOT%\\SysWOW64 directory.\r\n2. The plugin creates a process for the received system executable, and receives the identifier of the created\r\nprocess.\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 19 of 33\n\nDepending on the plugin parameters, there are two ways to implement this step:\r\nIf the appropriate flag is set in the structure passed to the plugin, the plugin creates a process in the security\r\ncontext of the explorer.exe process (Fig. 23).\r\nPress enter or click to view image in full size\r\nFigure 23. Running an executable in the security context of explorer.exe\r\nIf the flag is not set, the executable file is started by calling the CreateProcessA function (Fig. 24).\r\nPress enter or click to view image in full size\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 20 of 33\n\nFigure 24. Calling CreateProcessA process\r\n3. The plugin allocates memory in the virtual address space of the created process and writes in it the contents,\r\nwhich are to be executed later ( VirtualAllocEx + WriteProcessMemory ).\r\n4. The plugin runs functions in the virtual address space of the created process in one of the following ways,\r\ndepending on the bitness of the process:\r\nin case of the 64-bit process, a function is started with another function, shown in Fig. 25;\r\nPress enter or click to view image in full size\r\nFigure 25. Pseudocode of the algorithm for injecting into a 64-bit process\r\nin case of the 32-bit process, a function is started using the CreateRemoteThread and\r\nRtlCreateUserThread functions, which create a thread in the virtual address space of the specified\r\nprocess.\r\nAlgorithm for injection into the same-name process\r\n1. The plugin retrieves the path to the executable file for the process in the address space of which it is\r\nrunning.\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 21 of 33\n\n2. The plugin launches this executable file and injects it into the created process.\r\nThe pseudocode for this method is shown in Fig. 26.\r\nPress enter or click to view image in full size\r\nFigure 26. Pseudocode for injecting Jumper32.dll / Jumper64.dll into the same process\r\nListProcesses32.dll/ListProcesses64.dll\r\nThis plugin is designed to provide information on running processes (Fig. 27 and 28).\r\nPress enter or click to view image in full size\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 22 of 33\n\nFigure 27. Retrieving information about each active process\r\nPress enter or click to view image in full size\r\nFigure 28. Inserting the retrieved information to be sent to the server at a later time\r\nThe following can be retrieved for each process:\r\nprocess identifier;\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 23 of 33\n\npath to the executable file;\r\ninformation about the user running the process.\r\nmimikatz32.dll/mimikatz64.dll\r\nThe Mimikatz plugin is a wrapper for client-side Powerkatz modules:\r\npowerkatz_full32.dll\r\npowerkatz_full64.dll\r\npowerkatz_short32.dll\r\npowerkatz_short64.dll\r\nNetSession32.dll/NetSession64.dll\r\nThe plugin is designed to retrieve information about all active network sessions on the infected server. For each\r\nsession, the host address from which the connection is made can be retrieved, along with the name of the user\r\ninitiating the connection.\r\nThe pseudocode of the function in which the information is received is shown in Fig. 29 and 30.\r\nPress enter or click to view image in full size\r\nFigure 29. Retrieving network session information using WinAPI functions\r\nPress enter or click to view image in full size\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 24 of 33\n\nFigure 30. Inserting the information retrieved by the plugin to be sent to the server\r\nrat32.dll/rat64.dll\r\nThe plugin is a simplified version of the Carbanak toolkit bot. As we reported at the beginning of this article, this\r\ntoolkit is heavily used by the FIN7 faction.\r\nScreenshot32.dll/Screenshot64.dll\r\nThe plugin can take a JPEG screenshot on the infected system. The part of the function used to save the resulting\r\nimage to the stream is shown below (Fig. 31).\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 25 of 33\n\nFigure 31. The part of the function used to save a screenshot taken by the plugin to the stream\r\nThe received stream is then sent to the loader to be sent to the server.\r\nplugins from the plugins/extra directory\r\nplugins from the plugins/extra directory are transferred from the client to the server, then from the server to the\r\nloader (on the infected system).\r\nList of files in the plugins/extra directory:\r\nADRecon.ps1\r\nGetHash32.dll\r\nGetHash64.dll\r\nGetPass32.dll\r\nGetPass64.dll\r\npowerkatz_full32.dll\r\npowerkatz_full64.dll\r\npowerkatz_short32.dll\r\npowerkatz_short64.dll\r\nPswInfoGrabber32.dll\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 26 of 33\n\nPswInfoGrabber64.dll\r\nPswRdInfo64.dll\r\nADRecon\r\nThe ADRecon.ps1 file is a tool for generating reports that contain information from Active Directory. Read more\r\nabout ADRecon project on GitHub. Note that this plugin is not developed by FIN7, however, it is actively used by\r\nthe group in its attacks.\r\nGetHash32/GetHash64\r\nThe plugin is designed to retrieve user NTLM/LM hashes. The plugin is based on the code of the lsadump\r\ncomponent from Mimikatz.\r\nFig. 32 shows a screenshot with pseudocode of exported Entry function (function names are chosen according\r\nto Mimikatz function names).\r\nPress enter or click to view image in full size\r\nFigure 32. Pseudocode of the exported Entry function for the GetHash plugin\r\nThe return value of the Execute function (value of the g_outputBuffer variable) contains a pointer to the\r\nbuffer with data resulting from the plugin's operation.\r\nIf the plugin fails to start with SYSTEM permissions, it will fill the buffer with the data shown in Fig. 33.\r\nPress enter or click to view image in full size\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 27 of 33\n\nFigure 33. Buffer contents when running the plugin without SYSTEM permissions\r\nThe contents of the buffer in this case are similar to the output of mimikatz when running the module\r\nlsadump::sam without SYSTEM permissions (Fig. 34).\r\nPress enter or click to view image in full size\r\nFigure 34. Mimikatz output when running lsadump::sam without SYSTEM permissions\r\nIf the plugin is run with SYSTEM permissions, it will put all the information the attacker is looking for into the\r\nbuffer (Fig. 35).\r\nFigure 35. Buffer contents when running the plugin with SYSTEM permissions\r\nThe same data can be retrieved by running lsadump::sam from mimikatz with SYSTEM permissions (Fig. 36).\r\nPress enter or click to view image in full size\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 28 of 33\n\nFigure 36. Result of lsadump::sam command from mimikatz with SYSTEM permissions\r\nGetPass32/GetPass64\r\nThe plugin is designed to retrieve user passwords. It is based on the code of the sekurlsa component from\r\nMimikatz. The pseudocode of the exported Entry function is shown in Fig. 37.\r\nPress enter or click to view image in full size\r\nFigure 37. Exportable Entry function pseudocode\r\nBased on the plugin’s results, we will see in the value of the g_outputBuffer variable a pointer to the data buffer\r\nthat can be retrieved by executing the sekurlsa::logonpasswords command in Mimikatz (Fig. 38).\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 29 of 33\n\nFigure 38. Result of the sekurlsa::logonpasswords command\r\npowerkatz_full32/powerkatz_full64\r\nThe plugin is a Mimikatz version compiled in the Second_Release_PowerShell configuration. This version can be\r\nloaded into the address space of a PowerShell process via reflective DLL loading as implemented in the\r\nExfiltration module of PowerSploit.\r\nPseudocode of the exported powershell_reflective_mimikatz function (variable and function names in the\r\ndecompiled output are changed to match the names of the corresponding variables and functions from Mimikatz):\r\nThe input parameter is used to pass a list of commands, separated by a space. The global variable\r\noutputBuffer is used to pass the result of the commands. The decompiled view of the wmain function is shown\r\nbelow:\r\npowerkatz_short32/powerkatz_short64\r\nThe powerkatz_short plugin is a modified version of the standard powerkatz library described in the previous\r\nparagraph.\r\nA list of powerkatz functions that are absent from powerkatz_short :\r\nkuhl_m_acr_clean ;\r\nkuhl_m_busylight_clean ;\r\nkuhl_m_c_rpc_clean ;\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 30 of 33\n\nkuhl_m_c_rpc_init ;\r\nkuhl_m_c_service_clean ;\r\nkuhl_m_crypto_clean ;\r\nkuhl_m_crypto_init ;\r\nkuhl_m_kerberos_clean ;\r\nkuhl_m_kerberos_init ;\r\nkuhl_m_vault_clean ;\r\nkuhl_m_vault_init ;\r\nkull_m_busylight_devices_get ;\r\nkull_m_busylight_keepAliveThread .\r\nPswInfoGrabber32.dll/PswInfoGrabber64.dll\r\nThe plugin can retrieve the following data:\r\nbrowser history from Firefox, Google Chrome, Microsoft Edge and Internet Explorer;\r\nusernames and passwords stored in the listed browsers;\r\nemail accounts from Microsoft Outlook and Mozilla Thunderbird.\r\nThe nss3.dll library is used to retrieve sensitive data from the Firefox browser and is loaded from the directory\r\nwith the installed browser (Fig. 39).\r\nPress enter or click to view image in full size\r\nFigure 39. Dynamic retrieval of function addresses from nss3.dll library\r\nUsing the functions shown in Fig. 38, the credentials are retrieved from the logins.json file and the browser\r\nhistory is retrieved from the places.sqlite database.\r\nIn relation to Google Chrome, the plugin retrieves browser history from %LOCALAPPDATA%\\Google\\Chrome\\User\r\nData\\Default\\History and passwords from %LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Login Data\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 31 of 33\n\n(data encrypted using DPAPI).\r\nHistory , places.sqlite , Login Data are all sqlite3 database files. To work with sqlite3 databases the\r\nplugin uses functions from the sqlite library, statically linked with the resulting DLL, i.e. the plugin itself.\r\nFor Internet Explorer and Microsoft Edge browsers, the plugin retrieves user credentials using functions from the\r\nvaultcli.dll library that implements the functions of the vaultcmd.exe utility.\r\nPswRdInfo64.dll\r\nPswRdInfo64.dll is designed primarily to collect domain credentials and retrieve credentials for accessing other\r\nhosts via RDP. The plugin is activated from the client application using the Grabber → RDP tab.\r\nThe workflow of the plugin depends on the following conditions.\r\nWhen started from SYSTEM, the plugin lists all active console sessions ( WTSGetActiveConsoleSessionId ) and\r\ngets user names for these sessions:\r\n(WTSQuerySessionInformationW)(0i64, SessionId, WTSUserName, \u0026vpSessionInformationUserName, \u0026pBytesRet\r\nThe plugin then retrieves the private keys from the C:\\Users\\\r\n{SessionInformationUserName}AppData\\Local\\Microsoft\\Credentials directory for each user and injects itself\r\ninto the lsass.exe process to extract domain credentials.\r\nWhen started by another user (other than SYSTEM ), the plugin attempts to collect credentials for RDP access to\r\nother hosts. Credentials are collected using CredEnumerateW function, with the TERMSRV string as the target.\r\nConclusion\r\nAs the analysis shows, Lizar is a diverse and complex toolkit. It is currently still under active development and\r\ntesting, yet it is already being widely used to control infected computers, mostly throughout the United States.\r\nHowever, it seems that FIN7 are not looking to stop there, and we will soon be hearing about more Lizar-enabled\r\nattacks from around the world.\r\nIoC\r\nIP:\r\n108.61.148.97\r\n136.244.81.250\r\n185.33.84.43\r\n195.123.214.181\r\n31.192.108.133\r\n45.133.203.121\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 32 of 33\n\nSHA256:\r\n166b0c5e49c44f87886ecaad46e60b496b6b7512d1c57db41d9cf752fada95c8\r\n188d76c31fa7f500799762237508203bdd1927ec4d5232cc189d46bc76b7a30d\r\n1e5514e8f95dcf6dd7289acef6f6b88c460105660cb0c5b86ec7b854f70ee857\r\n21850bb5d8df021e850e740c1899353f40af72f119f2cd71ad234e91c2ccb772\r\n3b63eb184bea5b6515697ae3f13a57365f04e6a3309c79b18773291e62a64fcb\r\n4d933b6b60a097ad5ce5876a66c569e6f46707b934ebd3c442432711af195124\r\n515b94290111b7be80e001bfa2335d2f494937c8619cfdaafb2077d9d6af06fe\r\n61cfe83259640df9f19df2be4b67bb1c6e5816ac52b8a5a02ee8b79bde4b2b70\r\nfbd2d816147112bd408e26b1300775bbaa482342f9b33924d93fd71a5c312cce\r\na3b3f56a61c6dc8ba2aa25bdd9bd7dc2c5a4602c2670431c5cbc59a76e2b4c54\r\ne908f99c6753a56440127e54ce990adbc5128d10edc11622d548ddd67e6662ac\r\n7d48362091d710935726ab4d32bf594b363683e8335f1ee70ae2ae81f4ee36ca\r\ne894dedb4658e006c8a85f02fa5bbab7ecd234331b92be41ab708fa22a246e25\r\nb8691a33aa99af0f0c1a86321b70437efcf358ace1cf3f91e4cb8793228d1a62\r\nbd1e5ea9556cb6cba9a509eab8442bf37ca40006c0894c5a98ce77f6d84b03c7\r\n98fbccd9c2e925d2f7b8bcfa247790a681497dfb9f7f8745c0327c43db10952f\r\n552c00bb5fd5f10b105ca247b0a78082bd6a63e2bab590040788e52634f96d11\r\n21db55edc9df9e096fc994972498cbd9da128f8f3959a462d04091634a569a96\r\nSource: https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a7\r\n5e319\r\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nPage 33 of 33", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "references": [ "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319" ], "report_names": [ "from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434384, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/25f76af6c8d919c23e9945a3cfd475d4318decca.pdf", "text": "https://archive.orkl.eu/25f76af6c8d919c23e9945a3cfd475d4318decca.txt", "img": "https://archive.orkl.eu/25f76af6c8d919c23e9945a3cfd475d4318decca.jpg" } }