Google’s Threat Analysis Group (TAG) took the wraps off a new initial access broker that it said is closely affiliated to a Russian cyber crime gang notorious for its Conti and Diavol ransomware operations.
Dubbed Exotic Lily, the financially motivated threat actor has been observed exploiting a now-patched critical flaw in the Microsoft Windows MSHTML platform (CVE-2021-40444) as part of widespread phishing campaigns that involved sending no fewer than 5,000 business proposal-themed emails a day to 650 targeted organizations globally.
“Initial access brokers are the opportunistic locksmiths of the security world, and it’s a full-time job,” TAG researchers Vlad Stolyarov and Vlad Stolyarov said. These groups are skilled in breaking into targets in order to unlock the doors or Windows to malicious actors with the highest bid. “
Exotic Lily was first discovered in September 2021,. It is believed to have been involved with data exfiltration, deployment of human-operated Conti ransomware strains and in the manipulation of Diavol ransomware strains. Both of these are similar in nature to the Russian cybercriminal syndicate known as Wizard Spider, which’s also responsible for TrickBot, BazarBackdoor and Anchor.
The threat actor’s social engineering lures, sent from spoofed email accounts, have specifically singled out IT, cybersecurity, and healthcare sectors, although post November 2021, the attacks have grown to be more indiscriminate, targeting a wide variety of organizations and industries.
Besides using fictitious companies and identities as a means to build trust with the targeted entities, Exotic Lily has leveraged legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver BazarBackdoor payloads in a bid to evade detection mechanisms.
The rogue personas often posed as employees of firms such as Amazon, complete with fraudulent social media profiles on LinkedIn that featured fake AI-generated profile pictures. Another group that impersonated employees of companies is said to have lifted their personal information from business databases such as CrunchBase and RocketReach.
” At the end, an attacker will upload the payload via a file-sharing site (TransferNow.com, TransferXL.com, WeTransfer.com or OneDrive). Then, the targeted would use the built-in email notification function to share the file. This allows the last email to come from the legitimate email address and not the attacker, which poses additional detection difficulties,” researchers stated.
Also delivered using the MHTML exploit is a custom loader called Bumblebee that’s orchestrated to gather and exfiltrate system information to a remote server, which responds back commands to execute shellcode and run next-stage executables, including Cobalt Strike.
An analysis of the Exotic Lily’s communication activity indicates that the threat actors have a “typical 9-to-5 job” on weekdays and may be possibly working from a Central or an Eastern Europe time zone.
“EXOTIC LILY seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors,” the researchers concluded.