Threat Research

Analysis of LilithBot Malware and Eternity Threat Group

Securonix

LilithBot is a multifunction malware sold as Malware-as-a-Service by the Eternity group, distributed through Telegram and Tor, with modules for botnet operations, stealer, clipper, miner, and more. The campaign showcases evolving features, including anti-debug/anti-VM checks and runtime decryption of configuration data, with exfiltration to a Tor-based C2. #LilithBot #EternityGroup

Keypoints

  • The Eternity group markets malware modules (MaaS) like LilithBot for a membership fee, expanding capabilities over time.
  • LilithBot is distributed via a dedicated Telegram channel and a Tor link, offering botnet, stealer, clipper and other payloads.
  • The malware adds features over time (e.g., anti-debug and anti-VM checks) to hinder analysis.
  • The binary self-registers and persists by placing or leveraging Startup items, using a mutex during startup registration.
  • Configuration data is encrypted and decrypted at runtime (AES-based), with fields such as license/encoding keys and GUID embedded in the config.
  • Data from the host is stolen (including browser data) and uploaded to a C2 server over the Tor network, often as a ZIP payload.
  • Fake Microsoft-signed certificates are used to evade detections, and the C2 IPs/Tor-based delivery are repeatedly observed.

MITRE Techniques

  • [T1037] Startup Items – The malware registers itself and uses Startup folder persistence. ‘The entry point starts with registration of the bot… checks for a file in the Startup folder.’
  • [T1027] Obfuscated/Compressed Files or Information – ‘encrypted via AES and decrypts itself at runtime.’
  • [T1041] Exfiltration Over C2 Channel – ‘steals all the information and uploads itself as a zip file to its Command and Control.’
  • [T1071] Application Layer Protocol – ‘uses Tor network to connect to its C2’
  • [T1497] Virtualization/Sandbox Evasion – ‘anti-debug and anti-VM checks’
  • [T1056] Data from Local System – ‘uploads report.zip containing browser history, cookies, and personal information’

Indicators of Compromise

  • [Hash] Executable hashes – 0ebe8de305581c9eca37e53a46d033c8, 1cae8559447370016ff20da8f717db53
  • [Hash] Executable file – e793fcd5e44422313ec70599078adbdc
  • [Hash] DLL file signed – 65c0241109562662f4398cff77499b25
  • [IP] C2 – 77.73.133.12
  • [IP] C2 – 45.9.148.203
  • [IP] C2 – 91.243.59.210
  • [IP] C2 – 195.2.71.214

Read more: https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint