“These groups hire employees who are not even aware that they are working with real malware or that their employer is a real criminal group,” according to the Cyber Threats Research Team at BI.ZONE. The firm added that the Lizar malware “is a diverse and complex toolkit. It is currently still under active development and testing, yet it is already being widely used to control infected computers, mostly throughout the United States.”
Among the malware’s victims include pharmaceutical companies, a gambling establishment and some educational institutions in the U.S., as well as a financial institution in Panama and an IT firm in Germany.
Researchers noted the similarities between the Lizar toolkit and the Carbanak RAT. Lizar has various plugins and a loader that both run on an infected system and may turn into the Lizar bot client, which communicates with a remote server.
“The bot’s modular architecture makes the tool scalable and allows for independent development of all components. We’ve detected three kinds of bots: DLLs, EXEs and PowerShell scripts, which execute a DLL in the address space of the PowerShell process,” the company stated.