LilithBot Malware, a new MaaS offered by the Eternity Group

Researchers linked the threat actor behind the Eternity malware-as-a-service (MaaS) to a new malware strain called LilithBot.

Zscaler researchers linked a recently discovered sample of a new malware called LilithBot to the Eternity group (aka EternityTeam; Eternity Project). The Eternity group operates a homonymous malware-as-a-service (MaaS), it is linked to the Russian “Jester Group,” which is active since at least January 2022.

In May, researchers at cybersecurity firm Cyble analyzed a Tor website named named ‘Eternity Project’ that offers for sale a broad range of malware, including stealers, miners, ransomware, and DDoS Bots.

The experts discovered the marketplace during a routine investigation, they also discovered that its operators also have a Telegram channel with around 500 subscribers. The channel was used to share information about malware listings and updates.

The operators behind the project allow their customers to customize the binary features through the Telegram channel.  

The operators sell the Stealer module for $260 as an annual subscription, it allows to steal a lot of sensitive information from infected systems, including passwords, cookies, credit cards, and crypto-wallets. Stolen data are exfiltrated via Telegram Bot.

The Eternity Miner module goes for $90 as an annual subscription, customers can customize it with their own Monero pool and AntiVM features. The Eternity operators also sells the clipper malware for $110, it monitors the clipboard for cryptocurrency wallets and replaces them with the wallet address of the attackers,

The Eternity Ransomware goes for $490 while the Eternity Worm is available for $390.

According to Cyble, the operators behind the Eternity Project are also developing a DDoS Bot malware borrowing code from the existing Github repository. The experts speculate that the Jester Stealer could also be rebranded from this particular Github project which indicates some links between the two Threat Actors.

“ThreatLabz recently discovered a sample of the multi-function malware LilithBot in our database. Further research revealed that this was associated with the Eternity group (a.k.a. EternityTeam; Eternity Project), a threat group linked to the Russian “Jester Group,” that has been active since at least January 2022.” reads the report published by Zscaler. “Eternity uses an as-a-service subscription model to distribute different Eternity-branded malware modules in underground forums, including a stealer, miner, botnet, ransomware, worm+dropper, and DDoS bot.” 

LilithBot is an advanced malware distributed by the Eternity group via a dedicated Telegram channel and can be purchased via Tor. It is a flexible threat that can be used as a miner, stealer, and clipper.

The threat actors are continuously enhancing the malware by adding new features, including as anti-debugging capabilities and anti-VM checks. 

LilithBot is able to steal all the information (browser history, cookies, pictures, and screenshots) from infected systems, then uploads itself as a zip file to Command and Control.

LilithBot is a multifunctional malware that is also offered through a MaaS model.

The report includes technical details about the threat and Indicators of Compromise (IOCs) along with MITRE ATT&CK.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, LilithBot)

[adrotate banner=”5″]

[adrotate banner=”13″]