SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lilith (Back to overview)

Lilith

Actor(s): Silent Chollima, Tick

VTCollection    

Lilith is a console-based ultra light-weight RAT developed in C++. It features a straight-forward set of commands that allows for near complete control of a machine.

References
2023-11-10AhnLabASEC Analysis Team
Detection of attacks exploiting asset management software (Andariel Group)
Lilith Tiger RAT
2023-02-23SymantecThreat Hunter Team
Clasiopa: New Group Targets Materials Research
Atharvan HazyLoad Lilith
2022-10-05ZscalerAditya Sharma, Shatak Jain
Analysis of LilithBot Malware and Eternity Threat Group
Eternity Clipper Eternity Stealer Lilith
2022-07-12cybleCyble Research Labs
New Ransomware Groups On The Rise: “RedAlert,” LILITH And 0mega Leading A Wave Of Ransomware Campaigns
RedAlert Ransomware Lilith
2022-05-18YoroiCarmelo Ragusa, Luigi Martire, Yoroi Malware ZLab
A deep dive into Eternity Group: A new emerging Cyber Threat
Eternity Ransomware Eternity Stealer Eternity Worm Lilith
2021-12-14Trend MicroNick Dai, Ted Lee, Vickie Su
Collecting In the Dark: Tropic Trooper Targets Transportation and Government
ChiserClient Ghost RAT Lilith Quasar RAT xPack APT23
2021-07-07TalosAsheer Malhotra, Justin Thattil
InSideCopy: How this APT continues to evolve its arsenal
AllaKore Lilith NjRAT
2021-07-07TalosAsheer Malhotra, Justin Thattil
InSideCopy: How this APT continues to evolve its arsenal (IOCs)
AllaKore Lilith NjRAT
2021-07-07TalosAsheer Malhotra, Justin Thattil
InSideCopy: How this APT continues to evolve its arsenal (Network IOCs)
AllaKore Lilith NjRAT
2021-07-02CiscoAsheer Malhotra, Justin Thattil
InSideCopy: How this APT continues to evolve its arsenal
AllaKore CetaRAT Lilith NjRAT ReverseRAT
2019-11-29Trend MicroHiroyuki Kakara, Joey Chen, Masaoki Shoji
Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK
Datper Lilith
2019-09-19GitHub (werkamsus)werkamsus
Lilith
Lilith
Yara Rules
[TLP:WHITE] win_lilith_auto (20230808 | Detects win.lilith.)
rule win_lilith_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.lilith."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lilith"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 ff15???????? 6857040000 898698210000 ff15???????? }
            // n = 5, score = 200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   6857040000           | push                0x457
            //   898698210000         | mov                 dword ptr [esi + 0x2198], eax
            //   ff15????????         |                     

        $sequence_1 = { e8???????? 8bce e8???????? 83c418 8bcf e8???????? 8d4dd0 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8d4dd0               | lea                 ecx, [ebp - 0x30]

        $sequence_2 = { 8b0c85a84b4300 8b45e8 f644012880 7446 0fbec3 83e800 742e }
            // n = 7, score = 200
            //   8b0c85a84b4300       | mov                 ecx, dword ptr [eax*4 + 0x434ba8]
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   f644012880           | test                byte ptr [ecx + eax + 0x28], 0x80
            //   7446                 | je                  0x48
            //   0fbec3               | movsx               eax, bl
            //   83e800               | sub                 eax, 0
            //   742e                 | je                  0x30

        $sequence_3 = { 25f0070000 660f28a010e94200 660f28b800e54200 660f54f0 660f5cc6 660f59f4 660f5cf2 }
            // n = 7, score = 200
            //   25f0070000           | and                 eax, 0x7f0
            //   660f28a010e94200     | movapd              xmm4, xmmword ptr [eax + 0x42e910]
            //   660f28b800e54200     | movapd              xmm7, xmmword ptr [eax + 0x42e500]
            //   660f54f0             | andpd               xmm6, xmm0
            //   660f5cc6             | subpd               xmm0, xmm6
            //   660f59f4             | mulpd               xmm6, xmm4
            //   660f5cf2             | subpd               xmm6, xmm2

        $sequence_4 = { 8b0485a84b4300 80640828fe ff33 e8???????? 59 e9???????? 8b0b }
            // n = 7, score = 200
            //   8b0485a84b4300       | mov                 eax, dword ptr [eax*4 + 0x434ba8]
            //   80640828fe           | and                 byte ptr [eax + ecx + 0x28], 0xfe
            //   ff33                 | push                dword ptr [ebx]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   e9????????           |                     
            //   8b0b                 | mov                 ecx, dword ptr [ebx]

        $sequence_5 = { c60000 833d????????10 b8???????? c745cc01000000 0f4305???????? }
            // n = 5, score = 200
            //   c60000               | mov                 byte ptr [eax], 0
            //   833d????????10       |                     
            //   b8????????           |                     
            //   c745cc01000000       | mov                 dword ptr [ebp - 0x34], 1
            //   0f4305????????       |                     

        $sequence_6 = { e9???????? c745dc03000000 c745e0c8874200 e9???????? }
            // n = 4, score = 200
            //   e9????????           |                     
            //   c745dc03000000       | mov                 dword ptr [ebp - 0x24], 3
            //   c745e0c8874200       | mov                 dword ptr [ebp - 0x20], 0x4287c8
            //   e9????????           |                     

        $sequence_7 = { c1fa06 8934b8 8bc7 83e03f 6bc830 8b0495a84b4300 8b440818 }
            // n = 7, score = 200
            //   c1fa06               | sar                 edx, 6
            //   8934b8               | mov                 dword ptr [eax + edi*4], esi
            //   8bc7                 | mov                 eax, edi
            //   83e03f               | and                 eax, 0x3f
            //   6bc830               | imul                ecx, eax, 0x30
            //   8b0495a84b4300       | mov                 eax, dword ptr [edx*4 + 0x434ba8]
            //   8b440818             | mov                 eax, dword ptr [eax + ecx + 0x18]

        $sequence_8 = { 8b4d08 898814434300 68???????? e8???????? 8be5 }
            // n = 5, score = 200
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   898814434300         | mov                 dword ptr [eax + 0x434314], ecx
            //   68????????           |                     
            //   e8????????           |                     
            //   8be5                 | mov                 esp, ebp

        $sequence_9 = { 660f122c8510a74200 03c0 660f28348520ab4200 ba7f3e0400 e9???????? 8bd0 }
            // n = 6, score = 200
            //   660f122c8510a74200     | movlpd    xmm5, qword ptr [eax*4 + 0x42a710]
            //   03c0                 | add                 eax, eax
            //   660f28348520ab4200     | movapd    xmm6, xmmword ptr [eax*4 + 0x42ab20]
            //   ba7f3e0400           | mov                 edx, 0x43e7f
            //   e9????????           |                     
            //   8bd0                 | mov                 edx, eax

    condition:
        7 of them and filesize < 499712
}
Download all Yara Rules