Google’s Threat Analysis Group (TAG) has provided a rare look inside the operations of a cybercriminal dubbed “Exotic Lily,” that appears to serve as an initial-access broker for both Conti and Diavol ransomware gangs.
Researchers’ analysis exposes the business-like approach the group takes to brokering initial access into organizations’ networks through a range of tactics so its partners can engage in further malicious activity.
While ransomware actors tend to get most of the attention, they can’t do their dirty work without first gaining access to an organization’s network. This is often the job of what are called initial-access brokers (IABs), or “the opportunistic locksmiths of the security world,” as Google TAG calls them in a blog post published Thursday.
“It’s a full-time job,” Google TAG researchers Vlad Stolyarov and Benoit Sevens wrote in the post. “These groups specialize in breaching a target in order to open the doors — or the Windows — to the malicious actor with the highest bid.”
Google TAG first encountered Exotic Lily last September, when the group was doing just that — exploiting the zero-day Microsoft flaw in MSHTML (CVE-2021-40444) as part of what turned out to be a full-time IAB business “closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol,” researchers wrote.
At the peak of the group’s activity, Exotic Lily — which researchers believe is working with the Russian cybercrime gang known as FIN12, Wizard Spider or DEV-0413 — was sending more than 5,000 emails a day to as many as 650 targeted organizations globally, they said.
“Up until November 2021, the group seemed to be targeting specific industries such as IT, cybersecurity and healthcare, but as of late we have seen them attacking a wide variety of organizations and industries, with less specific focus,” researchers wrote in the post.
Soup to Nuts
Exotic Lily works ostensibly as a full-time cybercrime business, which might be described as a “soup to nuts” organization if it were actually a legitimate company.
The group has maintained a “relatively consistent attack chain” during the time it was being tracked by researchers with its operators “working a fairly typical 9-to-5 job, with very little activity during the weekends,” researchers wrote. Working hours indicated that the group is likely operating out of a Central or Eastern European time zone.
The group’s tactics include initial activity to build fake online personas—including social-media profiles with AI-generated photos—that spoof both identities and company domains to ensure it appears as an authentic entity to its targets when carrying out phishing, researchers revealed.
In fact, in November, Google TAG observed the group impersonating real company employees by copying their personal data from social media and business databases such as RocketReach and CrunchBase.
“In the majority of cases, a spoofed domain name was identical to a real domain name of an existing organization, with the only difference being a change of TLD to “.us”, “.co” or “.biz,” researchers wrote.
Full-Time Phishing Business
While bug exploitation is part of its work as noted, Exotic Lily’s main business operation is to use these spoofed email accounts to send spear-phishing emails. They often purport to be a business proposal, such as seeking to outsource a software-development project or an information-security service.
One unique aspect of the group’s method is to engage in more follow-up communications with targets than most cybercriminals behind phishing campaigns typically do, researchers observed. This activity includes operators’ attempting to schedule a meeting to discuss a project’s design or requirements or engaging in other communication to gain affinity and trust, they said.
In its final attack stage, Exotic Lily uploads an ultimate payload to a public file-sharing service such as TransferNow, TransferXL, WeTransfer or OneDrive, and then uses a built-in email notification feature to share the file with the target.
This tactic serves to help the group’s malicious motives evade detection, as the final email originates from the email address of a legitimate file-sharing service and not the attacker’s email, researchers noted.
Typically, the actors upload another group’s malware to the file-sharing service prior to sharing it with the target, researchers said. While some samples of malware appear custom, Google TAG doesn’t think it’s Exotic Lily who’s developing these binaries.
Though their first observation of the group was the use of documents exploiting the MSHTML bug, researchers later observed Exotic Lily changing its delivery tactics to use ISO archives that include shortcuts to the BazarLoader dropper, according to the post.
This month, Google observed the group delivering ISO files with a custom loader that drops malware dubbed Bumblebee, which uses Windows Management Instrumentation (WMI) to collect various system details such as OS version, username and domain name. These details are then exfiltrated in JSON format to a command-and-control server (C2), researchers said.
Bumblebee also can execute commands and code from the C2, and in recent activity was seen fetching Cobalt Strike payloads to be executed on targeted systems, they added.
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.