An emerging Russia-linked threat group is ramping up its malware-as-a-service operation by packaging several of its modules into a multifunctional malware offering, dubbed LilithBot, that it’s peddling via Telegram.
The Eternity group — aka EternityTeam or Eternity Project — has been active since at least January and uses an “as-a-service” subscription model to distribute different Eternity-branded malware modules in underground forums. Its individual malicious offerings include a stealer, miner, botnet, ransomware, worm with a dropper, and distributed denial-of-service (DDoS) bot, researchers from Zscaler ThreatLabz revealed in a blog post published this week.
In a recently observed campaign, Eternity put a number of those modules together into “one-stop shopping for these various payloads,” Zscaler security researcher Shatak Jain and senior program manager Aditya Sharma wrote in the post. The threat actor is distributing the multifunctional LilithBot malware through its dedicated Telegram group and a Tor link.
“In addition to its primary botnet functionality, it also had built-in stealer, clipper, and miner capabilities,” the researchers wrote of the LilithBot campaign, which appears to have multiple variants.
Who Is EternityTeam?
The EternityTeam has links to the Russian Jester Group and offers a malware toolkit sold through a malware-as-a-service subscription service advertised via a dedicated Telegram channel, named @EternityDeveloper.
Other security companies have also studied the group. Security firm Cyberint in January identified the group and its various malware modules as an emerging force to be reckoned with on the underground cybercrime industry. In May, research from security firm Sekoia.IO identified the group as a new “prominent malware seller” and provided analysis on the various tools in its arsenal.
Typically, EternityTeam offers different services individually — including a stealer, miner, clipper, ransomware, worm plus dropper, and DDoS Bot — and accepts payment through various cryptocurrencies, including Bitcoin, Ethereum, Monero, and Tether/USDT, among others.
Eternity also offers customized viruses and will create viruses with add-on features upon customer request. The price of the various malware the group sells ranges from US$90 to $470, with its ransomware product priced the highest.
The cybercrime group runs a tight ship: Its business is extremely “user-friendly” for a number of reasons, the Zscaler researchers noted. It’s easy for cybercriminals to purchase and operate via Tor, and the service accepts crypto as payment; it’s customizable to fit clients’ needs; and it’s regularly updated at no additional charge, they said. The group also offers add-on discounts and referral rewards to its customers.
As legitimate businesses often see the value in bundling services together, so do cybercrime operators. LilithBot is an example of this practice, with Eternity selling the multifunctional malware as a subscription, similar to how it distributes its individual malware-as-a-service modules.
There are plenty of other examples of attackers distributing malware that relies not on one core competency but a combined range of malicious functionality in one package. The Chaos malware is one example of this, having evolved recently from its original ransomware builder into a DDoS and cryptomining tool.
Though LilithBot is different in that it is starting out as a combination of a threat group’s existing services rather than evolving into a new type of malware, it’s similar in that it packs a malicious, multifunctional punch.
LilithBot initiates its nefarious activity by registering as a botnet on an affected system and then decrypts itself step by step to drop its configuration file, the researchers said. It goes on to steal files and user information, which it then uploads via a zip file to a command-and-control (C2) server using the Tor network. LilithBot also uses fake certificates to bypass detections and deliver its various functionality as a stealer, cryptominer, and clipper.
Zscaler researchers observed two variants of LilithBot being distributed by Eternity, with slight differences in the main functions of each release, they said. Specifically, some commands that were present in earlier variants were absent from the newest variant that researchers analyzed.
The latest version of LilithBot no longer checks for the presence of various DLLs related to virtual software like Sandboxie, 360 Total Security, Avast, and COMODO Avs, nor for the Win32_PortConnector that represents physical connection ports such as DB-25 pin male, Centronics, or PS/2 to ensure the malware is running on a physical machine rather than a virtual one.
“It is likely that the group is still performing these functions,” the researchers wrote, “but doing so in more sophisticated ways: such as performing it dynamically, encrypting the functions like other regions of code, or using other advanced tactics.”