Security researchers have detailed a new, multi-functional malware. Called LilithBot, the malware is associated with the Eternity Project threat group which has been active since at least January 2022.
Another Addition to the Eternity Project’s Malware Arsenal
The Eternity threat actor has been using an “as-a-service” distribution model to sell its branded malicious modules across underground forums. The offered modules enable amateur hackers to get hold of an information stealer, clipper, computer worm, cryptocurrency miner, ransomware, and a DDoS bot. It is noteworthy that the Eternity Project campaign was discovered by Cyble researchers during their “routine threat hunting exercise.” The researchers came across a Tor website that listed “a variety of malware for sale,” all branded with the name “Eternity Project.”
As for the LilithBot malware, it was discovered by ZScaler’s ThreatLabz team while being distributed via a Telegram group and a Tor link providing “one-stop-shopping for these various payloads.” “In addition to its primary botnet functionality, it also had built-in stealer, clipper, and miner capabilities. In this blog, we’ll provide a deep analysis of the LilithBot campaign, including a look at several variants,” their report noted.
The malware appears to be in development, as the group continues to enhance its capabilities by adding improvements, e.g. anti-debug and anti-VM checks.
How Does LilithBot Operate?
First, the malware registers itself on the system and decrypts itself step by step, dropping its configuration file. Then, it utilizes various types of fields such as license key, encoding key, and GUID which is encrypted via AES and decrypts itself at runtime.
Once activated, it proceeds by stealing all the information from the targeted system and uploading itself as a zip file to its Command and Control.
The emergence of another malware related to the Eternity Project is a sign that the malware group continues to evolve and expand its malicious services, making them more sophisticated in bypassing detections.