Google Analyzes Activity of ‘Exotic Lily’ Initial Access Broker

Google on Thursday published an analysis of the activities associated with an initial access broker (IAB) linked to a Russian-speaking cybercrime group tracked as FIN12 and Wizard Spider.

Specialized in compromising targets to provide access to other threat actors, the activities of this financially motivated group, which Google tracks as Exotic Lily, are closely tied to data exfiltration and the deployment of ransomware such as Conti and Diavol, and show some overlaps with BazarLoader and TrickBot distribution.

At the peak of its activity, Exotic Lily was likely sending over 5,000 phishing emails a day, targeting roughly 650 organizations globally, mainly focused on the cybersecurity, healthcare, and IT sectors.

The group employs tactics, techniques and procedures (TTPs) typically associated with more targeted attacks – including the spoofing of companies and employees – and uses file-sharing services for payload delivery, to evade detection mechanisms.

Google’s Threat Analysis Group (TAG) has been tracking Exotic Lily since September 2021 – when the hackers were observed targeting CVE-2021-40444, a zero-day vulnerability in Microsoft MSHTML – and says that the group’s attack chain has remained relatively consistent.

[ READ: BlackBerry Researchers Dive Into Prometheus TDS Operations ]

What makes Exotic Lily stand out is the use of domain and identity spoofing: the group creates entirely fake personas to pose as employees of a real company – paired with social media profiles, personal websites, and an AI-generated profile picture.

The group then starts sending spear-phishing emails using spoofed email accounts, and even attempts to schedule a meeting with the target, under the pretext of a business proposal. At the final stage, a payload hosted on a public file-sharing service is sent to the victim.

The payload is sent using a built-in email notification feature, “allowing the final email to originate from the email address of a legitimate file-sharing service and not the attacker’s email,” Google explains.

Exotic Lily, the researchers note, is running human-operated phishing at scale, likely from a Central or Eastern European time zone, typically working from 9-to-5 during weekdays, with little activity on weekends.

[ READ: Enterprises Warned of Growing Risk Posed by Initial Access Brokers ]

Initially relying on CVE-2021-40444 exploits, the group has switched to the use of ISO files containing BazarLoader DLLs and LNK shortcuts. The samples appear to have been custom built for this group only.

In attacks observed this month, the group employed ISO files with a DLL containing a custom loader dubbed Bumblebee, which Google identified as “a more advanced variant of a first-stage payload previously seen during CVE-2021-40444 exploitation.”

Despite a close connection with FIN12, “Exotic Lily seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors,” Google concludes.

Related: Links Found Between MSHTML Zero-Day Attacks and Ransomware Operations

Related: Conti Ransomware Source Code Leaked

Related: After Nation-State Hackers, Cybercriminals Also Add Sliver Pentest Tool to Arsenal