Exotic Lily initial access broker works with Conti gang

Pierluigi Paganini March 19, 2022

Google’s Threat Analysis Group (TAG) uncovered a new initial access broker, named Exotic Lily, that is closely affiliated with the Conti ransomware gang.

Google’s Threat Analysis Group (TAG) researchers linked a new initial access broker, named Exotic Lily, to the Conti ransomware operation.

Initial access brokers play an essential role in the cybercrime ecosystem, they provide access to previously compromised organizations to threat actors.

Exotic Lily was first spotted on September 2021, at the time it was observed spreading human-operated Conti and Diavol ransomware.

“In early September 2021, Threat Analysis Group (TAG) observed a financially motivated threat actor we refer to as EXOTIC LILY, exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigating this group’s activity, we determined they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike).” reads the post published by Google TAG.

The Exotic Lily cybercrime group is exploiting the Microsoft Windows MSHTML flaw (CVE-2021-40444) in its phishing campaigns. Experts observed the threat actors sending at a peak of its activity more than 5,000 business proposal-themed emails a day to 650 targeted entities worldwide.

The attack chain associated with the EXOTIC LILY threat actors remained relatively consistent throughout the time, Google TAG researchers explained.

EXOTIC LILY attack chain

Threat actors use the technique of domain and identity spoofing to gain “additional credibility” with a targeted organization.

The Exotic Lily used spoofed email accounts to send social engineering lures to organizations in multiple industries and establish a trusted contact with targeted entities.

Exotic Lily also used the built-in email notification feature implemented by legitimate file-sharing services (i.e. WeTransfer, TransferNow and OneDrive) to share links to malicious files with the victims evading the detection.

In March, the group was observed delivering ISO files, but with a DLL containing the custom loader BUMBLEBEE. BUMBLEBEE uses WMI to collect the target’s system information, including OS version, user name and domain name. BUMBLEBEE was also observed to fetch Cobalt Strike payloads.

The analysis of the threat actor’s communications revealed that the group works from 9-to-5, with very little activity during the weekends. The actor’s working hours suggest they might be working from a Central or an Eastern Europe timezone.

An analysis of the Exotic Lily’s communication activity indicates that the threat actors have a “typical 9-to-5 job” on weekdays and may be possibly working from a Central or an Eastern Europe time zone.

“We believe the shift to deliver BazarLoader, along with some other indicators such as a unique Cobalt Strike profile (described by RiskIQ) further confirms the existence of a relationship between EXOTIC LILY and actions of a Russian cyber crime group tracked as WIZARD SPIDER (CrowdStrike), FIN12 (Mandiant, FireEye) and DEV-0193 (Microsoft).” the researchers concluded. “While the nature of those relationships remains unclear, EXOTIC LILY seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Conti)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment