Cyber Security News

Google Uncovers Initial Access Broker Behind Conti Ransomware Who Uses Phishing to Infiltrate Organization

Google’s Threat Analysis Group (TAG) has been conducting various analyses on threat actors and their ransomware. In September 2021, they came to know about a threat actor who was known by the name “EXOTIC LILY” exploiting a 0day in Microsoft MSHTML (CVE-2021-40444).

Initial thoughts about this threat actor seemed like another typical group trying to infiltrate organizations. But later, they were found to be what they call an “Initial Access Broker”.

Initial Access Brokers (IAB) are locksmiths for hire in the cyber world. They breach a target and open doors for the highest bidder. This technically proves that they are resourceful and financially motivated. However, reports revealed that they have been working for a Russian Cybercrime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (Crowdstrike).

EXOTIC LILY’s is linked upon data exfiltration and the deployment of ransomware such as Conti or Diavol which are human-operated. As per TAG’s analysis, EXOTIC LILY was sending 5000 emails a day to around 650 organizations all around the world. 

The group was targeting specific industries such as Cybersecurity, IT, and Healthcare until November 2021. Their recent activities suggest that they reduced their focus and are attacking a wide variety of organizations and industries.

Their TTPs are based upon spoofing companies, employees and gaining trust from a targeted organization. Later, they deliver the malware through file-sharing services like WeTransfer, TransferNow, and OneDrive. For a cybercrime group targeting a mass scale of organizations globally, this is rather a very unusual thing like using these kinds of evading techniques.

 

They spoof an organization’s Top-Level Domain with various other extensions. This builds credibility in email contacts and further techniques followed were delivering the Payload via file-sharing services. One of the evasion techniques they used to deliver the malicious payload link was using the email feature of such file-sharing service providers.

Filling out the victim’s email ID for viewing the link. This method initiates a link that contains a payload to be delivered to the victim via the file-sharing service provider itself. This makes the detection technique very complicated. Further detailed analysis of the group’s activities was published by Google.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

10 Best Vulnerability Assessment and Penetration Testing (VAPT) Tools in 2025

Vulnerability Assessment and Penetration Testing (VAPT) tools are an integral part of any cybersecurity toolkit,…

5 hours ago

Microsoft Entra ID Bug Allow Unprivileged Users to Change Their User Principal Names

Microsoft has allowed unprivileged users to update their own User Principal Names (UPNs) in Entra…

10 hours ago

IntelBroker Resigned as a BreachForums Owner

IntelBroker, a key figure within the dark web's BreachForums, has announced his resignation as the…

11 hours ago

Kubernetes Cluster RCE Vulnerability Let Attacker Takeover All Windows Nodes

A critical vulnerability in Kubernetes, designated as CVE-2024-9042, has been discovered, enabling attackers to execute…

21 hours ago

CISA Warns of SonicWall 0-day RCE Vulnerability Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a critical…

21 hours ago

100+ Vulnerabilities in LTE & 5G Infrastructure Enable Remote Core Compromise

Researchers from the University of Florida and North Carolina State University conducted an extensive analysis…

1 day ago