Google’s Threat Analysis Group (TAG) has identified a new initial access broker known as “Exotic Lily,” linked to a notorious Russian cybercrime group famed for its participation in Conti and Diavol ransomware operations. The emergence of this threat actor raises serious concerns regarding cybersecurity practices across multiple sectors.
Exotic Lily has been observed exploiting a recently patched critical vulnerability in the Microsoft Windows MSHTML platform, specifically CVE-2021-40444, to conduct extensive phishing campaigns. These campaigns reportedly involve sending over 5,000 emails tailored as business proposals to approximately 650 organizations worldwide each day, highlighting the broad scope and persistence of their activities.
TAG researchers, Vlad Stolyarov and Benoit Sevens, likened initial access brokers to “opportunistic locksmiths of the security world,” emphasizing the strategic nature of their operations in facilitating breaches on behalf of higher-bidding malicious actors. This model of operation underscores a glaring vulnerability within the cybersecurity landscape that businesses must address proactively.
First detected in September 2021, Exotic Lily has purportedly engaged in data exfiltration and has been involved in deploying human-operated strains of the Conti and Diavol ransomware. These operations indicate a close connection with the Wizard Spider, a prominent Russian cybercriminal syndicate recognized for utilizing malware such as TrickBot and BazarBackdoor, thereby exemplifying the intricate web of cybercrime networks.
Questions regarding Exotic Lily’s affiliation with the Wizard Spider group have emerged, particularly after observations of communication patterns among cybercriminals. Even as TAG acknowledges the potential connections, they remain cautious, recognizing that a definitive link has yet to be established.
The social engineering tactics employed by Exotic Lily have primarily focused on IT, cybersecurity, and healthcare organizations. However, since November 2021, attacks have expanded, becoming more indiscriminate and affecting a broader array of industries. This shift underscores the evolving threat landscape that business owners must navigate.
Utilizing fictitious identities and companies, Exotic Lily has effectively built trust with its targets. It has also capitalized on legitimate file-sharing services such as WeTransfer and OneDrive to deliver malware—including BazarBackdoor payloads—in an attempt to avoid detection. This method complicates identification efforts and highlights the sophisticated techniques employed by modern threat actors.
Furthermore, Exotic Lily has been reported to engage in impersonation tactics, using fake social media profiles to pose as employees of legitimate companies. By lifting personal data from public platforms, they enhance the credibility of their schemes, making them even more difficult to trace.
At the final stage of their attack strategy, the group leverages public file-sharing services to upload payloads, which are then distributed using built-in email notification features. This technique not only masks the true origins of the communication but also presents additional challenges for detection systems, showcasing the sophisticated methodologies employed in attacking modern organizations.
Alongside the Microsoft vulnerability, Exotic Lily reportedly utilizes a custom loader called Bumblebee, designed to collect system information and execute commands for further attacks, such as deploying Cobalt Strike. The behavioral patterns of Exotic Lily reveal a structured operation that resembles traditional office hours, with indications that their activities align with Central or Eastern European time zones. This suggests an organized effort that business owners need to remain vigilant against as they fortify their cybersecurity measures.
In conclusion, the emergence of Exotic Lily serves as a stark reminder of the evolving threats within the cybersecurity landscape. Business owners should take note of the targeted sectors, along with the potential tactics and techniques outlined in the MITRE ATT&CK framework, as part of their comprehensive approach to safeguarding their digital assets.
