BI.ZONE researchers have discovered a new version of the malicious Lizar toolkit. Attackers try to disguise it as a legitimate pentest tool by using the name Check Point or Forcepoint.

BI.ZONE analyzed the Lizar sample and came to the conclusion that it is similar in structure to Carbanak Backdoor and is actively developing. The new set of malicious tools consists of a Windows client, a server application (both written in .NET), a plugin loader, and a number of plugins that are installed on the client and server side.

The plugin loader and such plugins run on the infected machine as part of a bot. Analysis showed that the Lizar bot is capable of executing several commands, including:

• provide information about the infected system;

• take a screenshot;

• make a list of running processes;

• launch Mimikatz;

• run a plugin that collects passwords from browsers and the OS;

• run a plugin to collect information about the network and Active Directory;

• run Carbanak Backdoor.

Lizar's modular architecture allows attackers to add plugins with ease. Currently, experts have detected three types of Lizar bots: DLL, EXE, and a scripted version.

Source: anti-malware.ru