In early September 2021, the Google Threat Analysis Group (TAG) observed a financially-motivated threat actor it dubs EXOTIC LILY, running a security vulnerability inMSHTML (CVE-2021-40444) exploited. Investigating the activities of this group, she found that it is an Initial Access Broker (IAB) that appears to be working with the Russian cybercriminal gang FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike).
Initial Access Brokers (IAB) are the opportunistic lockpickers of the security world and that’s a full-time job. These groups specialize in breaking into a target in order to open the doors—or the windows—to the malicious actor with the highest bid.
EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked to data exfiltration and the deployment of human-driven ransomware such as Conti and Diavol. At the height of EXOTIC LILY’s activities, appreciatedthat the group sent more than 5,000 emails daily to up to 650 target organizations worldwide. Until November 2021, the group appeared to target specific industries such as IT, cybersecurity, and healthcare, but more recently it has been observed attacking a variety of organizations and industries, with a less specific focus.
This threat actor employs tactics, techniques and procedures (TTPs) traditionally associated with more targeted attacks, such as: B. Spoofing companies and employees as a means to gain a target company’s trust through email campaigns that are assumed to be sent by real human users with little to no automation. Additionally and quite uniquely, they use legitimate file-sharing services like WeTransfer, TransferNow, and OneDrive to deliver the payload, thus further bypassing detection mechanisms. This level of human interaction is rather unusual for cybercriminals focused on mass operations.
Organization and identity spoofing
EXOTIC LILY’s attack chain has remained relatively constant throughout. A notable technique is the use of domain and identity spoofing to gain additional credibility with a target organization. In most cases, the fake domain name was identical to an existing organization’s real domain name, with the only difference being that the TLD was changed to “.us”, “.co” or “.biz”.
Initially, the group created fake personalities posing as employees of a real company. This sometimes included profiling on social media, personal websites, and using a public service to create a fake profile picture to create an AI-generated human face. In November 2021, the group began impersonating real company employees by copying their personal information from social media and company databases such as RocketReach and CrunchBase.
Attackers then use fake email accounts to send spear phishing emails under the pretense of a business offer, e.g. B. for outsourcing a software development project or an information security service.
At times, the attackers also try to get in touch with the target person and set up a meeting to discuss the project design or requirements.
In the final phase, the attacker uploaded the payload to a public file-sharing service (TransferNow, TransferXL, WeTransfer, or OneDrive) and then used a built-in email notification feature to share the file with the target, allowing the The final email came from a legitimate file-sharing service’s email address rather than the attacker’s, making detection even more difficult.
Large-scale human-powered phishing
Additional evidence suggests that an operator’s responsibilities might include:
- Customization of the initial “Business Proposal” templates when first contacting a target organization;
- Processing further communications to gain sympathy and trust;
- Uploading malware (acquired from another group) to a file-sharing service before it is shared with the target person.
A breakdown of the actor’s communication activity shows that the operators work a fairly typical 9-to-5 job with very little activity on the weekends. The distribution of the actor’s working hours suggests that he works in a Central or Eastern European time zone.
Malware and Attribution
Although the group was initially noticed for using documents containing an exploit for CVE-2021-40444, they later switched to sending ISO files with hidden BazarLoader DLLs and LNK shortcuts. These patterns have some indicators that suggest they were created specifically for the group. For example, the metadata embedded in the LNK links shows that a number of fields such as the “Machine Identifier” and the “Drive Serial Number” are common to the BazarLoader ISOs distributed through other means, while other fields such as the command-line arguments for the patterns shared by EXOTIC LILY are unique.
In March, the group continued to distribute ISO files, but with a DLL containing a custom loader that is a more advanced variant of a first-stage payload previously seen exploiting CVE-2021-40444. The loader can be recognized by the fact that it uses a unique user-agent “bumblebee”, which both variants have in common. The malware, hence named BUMBLEBEE, uses WMI to collect various system details such as OS version, usernames and domain names, which are then submitted to a C2 in JSON format. In response, it expects one of the various supported “tasks,” which include running shellcode, dropping, and running executables. At the time of analysis, BUMBLEBEE was observed retrieving Cobalt Strike payloads.
EXOTIC LILY activities overlap with a group being tracked as DEV-0413 (Microsoft). Previous reports of attacks exploiting CVE-2021-40444 (by Microsoft and other members of the security community) also indicated overlap between domains involved in an exploit’s supply chain and the infrastructure supporting the Distribution of BazarLoader and Trickbot is used.
Google believes that the shift to deploying BazarLoader, along with some other indicators such as a unique Cobalt Strike profile (described by RiskIQ), confirms the existence of a relationship between EXOTIC LILY and the actions of a Russian cybercriminal group dubbed WIZARD SPIDER (CrowdStrike) , FIN12 (Mandiant, FireEye) and DEV-0193 (Microsoft) is further confirmed. While the nature of these relationships remains unclear, EXOTIC LILY appears to be operating as a distinct entity focused on gaining initial access through email campaigns, with follow-up activities involving the deployment of Conti and Diavol ransomware managed by a other group of actors.