Google’s Threat Analysis Group (TAG) has been conducting various analyses on threat actors and their ransomware. In September 2021, they came to know about a threat actor who was known by the name “EXOTIC LILY” exploiting a 0day in Microsoft MSHTML (CVE-2021-40444).
Initial thoughts about this threat actor seemed like another typical group trying to infiltrate organizations. But later, they were found to be what they call an “Initial Access Broker”.
Initial Access Brokers (IAB) are locksmiths for hire in the cyber world. They breach a target and open doors for the highest bidder. This technically proves that they are resourceful and financially motivated. However, reports revealed that they have been working for a Russian Cybercrime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (Crowdstrike).
EXOTIC LILY’s is linked upon data exfiltration and the deployment of ransomware such as Conti or Diavol which are human-operated. As per TAG’s analysis, EXOTIC LILY was sending 5000 emails a day to around 650 organizations all around the world.
The group was targeting specific industries such as Cybersecurity, IT, and Healthcare until November 2021. Their recent activities suggest that they reduced their focus and are attacking a wide variety of organizations and industries.
Their TTPs are based upon spoofing companies, employees and gaining trust from a targeted organization. Later, they deliver the malware through file-sharing services like WeTransfer, TransferNow, and OneDrive. For a cybercrime group targeting a mass scale of organizations globally, this is rather a very unusual thing like using these kinds of evading techniques.
They spoof an organization’s Top-Level Domain with various other extensions. This builds credibility in email contacts and further techniques followed were delivering the Payload via file-sharing services. One of the evasion techniques they used to deliver the malicious payload link was using the email feature of such file-sharing service providers.
Filling out the victim’s email ID for viewing the link. This method initiates a link that contains a payload to be delivered to the victim via the file-sharing service provider itself. This makes the detection technique very complicated. Further detailed analysis of the group’s activities was published by Google.