The Google Threat Analysis Group (TAG) has shared their observations about a group of cybercriminals called Exotic Lily. This group has specialized itself as an initial access broker, which means they find a vulnerability in an organization’s defenses, exploit that vulnerability, and sell the access to the victim’s network to an interested party, several times over with different victims.
Among these interested parties TAG found the Contiand Diavol ransomware groups. Because Exotic Lily’s methods involved a lot of detail, they are believed to require a level of human interaction that is rather unusual for cybercrime groups focused on large scale operations.
Initial access broker
Like in any maturing industry, you can expect to see specialization and diversification. Initial access brokers are an example of specialized cybercriminals. They will use a vulnerability to gain initial access, and, probably based on the nature of the target, sell this access to other cybercriminals that can use this access to deploy their specific malware.
These initial access brokers are different from the usual ransomware affiliates that will deploy the ransomware they are affiliated with themselves and use the infrastructure provided by the ransomware as a service (RaaS) group to get a chunk of the ransom if the victim decides to pay. The RaaS will provide the encryption software, the contact and leak sites, and negotiate the ransom with the victim. An initial access broker will inform another cybercriminal by letting them know they have found a way in at company xyz, and inquire how much they are willing to pay for that access.
From the TAG blogwe can learn that Exotic Lily was very much specialized. Their initial attack vector was email. Initially, they were targeting specific industries such as IT, cybersecurity, and healthcare, but that focus has become less stringent.
Their email campaigns gained credibility by spoofing companies and employees. Their email campaigns were targeted to a degree that they are believed to be sent by real human operators using little to no automation. To evade detection mechanisms they used common services like WeTransfer, TransferNow, and OneDrive to deliver the payload.
Last year, researchers found that Exotic Lily used the vulnerability listed as CVE-2021-40444, a Microsoft MSHTML Remote Code Execution (RCE) vulnerability. Microsoft also posted a blogabout attacks that exploited this vulnerability. Later, the group shifted to using customized versions of BazarLoaderdelivered inside ISO files.
Based on the fact that the Exotic Lily’s operations require a lot of human interaction, the researchers did an analysis of the “working hours” and came to the conclusion that it looks like a regular 9 to 5 operation located in a Central or Eastern Europe time zone.
As with most email campaigns the amount of social engineering largely defines how successful such a campaign can be. Between the millions of emails sent in a “spray-and-pray” attack, to the thousands that Exotic Lily sends out per day, there is a huge difference in success rate.
Exotic Lily used identity spoofingwhere they replaced the TLD for a legitimate domain and replaced it with “.us”, “.co” or “.biz”. At first, the group would create entirely fake personas posing as employees of a real company. These personas would come including social media profiles, personal websites, and AI generated profile pictures. That must have been a lot of work, so at some point the group started to impersonate real company employees by copying their personal data from social media and business databases such as RocketReach and CrunchBase.
Using such spoofed accounts, the attackers would send spear phishingemails with a business proposal and even engage in further communication with the target by attempting to schedule a meeting to discuss the project’s design or requirements.
SHA-256 hashes of the BazarLoaderISO samples:
SHA-256 hashes of the BUMBLEBEEISO samples:
IPaddress of the C&C server:
Stay safe, everyone!