Exotic Lilly An Initial Access Broker for Conti

Google’s TAG has disvovered a financially motivated threat actor working as an intermediary for the Russian hackers, including the Conti ransomware gang.

The group, dubbed “Exotic Lily,” acts as an initial access broker, finding vulnerable organizations and selling access to their networks to the highest bidder. By contracting out the initial access to a victim’s network, ransomware gangs like Conti can focus on the execution phase of an attack.

Initial access was gained usually through email campaigns, in which the group masqueraded as legitimate organizations and employees through the use of domain and identity spoofing. In the majority of cases, a spoofed domain was nearly identical to the real domain name of an existing organization, but changed the top-level domains to “.us,” “.co” or “.biz.” In order to appear as legitimate employees, Exotic Lily set up social media profiles and AI-generated images of human faces.

The attackers, believed to be operating from Central or Eastern Europe due to the threat actors’ working hours, would then send spear-phishing emails under the pretext of a business proposal, before ultimately uploading a payload to a public file-sharing service such as WeTransfer or Microsoft OneDrive.

These malicious payloads initially took the form of documents containing an exploit for a zero-day in Microsoft’s MSHTML browser engine tracked as CVE-2021-40444, before the attackers switched to the delivery of ISO disk images containing hidden BazarLoader payloads. Researchers say this shift confirms Exotic Lily’s relationship with a Russian cybercrime group tracked as Wizard Spider (aka UNC1878), which is linked to the notorious Ryuk ransomware

Google says that Exotic Lily appears to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware.

Exotic Lily, active since September 2021 , was sending more than 5,000 phishing emails a day to as many as 650 organizations during the peak of its activity. While the group initially seemed to be targeting specific industries such as IT, cybersecurity and healthcare, it has more recently begun attacking a wide variety of organizations and industries, with less of a specific focus.

Indicators of Compromise

Malicious Domains

• conlfex[.]com
• avrobio[.]co
• elemblo[.]com
• phxmfg[.]co
• modernmeadow[.]co
• lsoplexis[.]com
• craneveyor[.]us
• faustel[.]us
• lagauge[.]us
• missionbio[.]us
• richllndmetals[.]com
• kvnational[.]us
• prmflltration[.]com
• brightlnsight[.]co
• belcolnd[.]com
• awsblopharma[.]com
• amevida[.]us
• revergy[.]us
• al-ghurair[.]us
• opontia[.]us

BazarLoader ISO samples:

• 5ceb28316f29c3912332065eeaaebf59f10d79cd9388ef2a7802b9bb80d797be
• 9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269
• c896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7

BUMBLEBEE ISO samples:

• 9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32
• 6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8
• 201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9
• 1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd
• 01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225

BUMBLEBEE C2:

• 23.81.246[.]187:443