TAG researchers Vlad Stolyarov reported that ,” Initial access brokers are the opportunistic locksmiths of the security world .These groups specialise in breaching a target in order to provide the malicious actor with access to the doors   or the Windows.” TAG has launched a new initial access broker that it claims is closely associated with a Russian cybercrime gang known for its Conti and Diavol ransomware operations.

Exotic Lily, a financially motivated threat actor, was observed exploiting a now-patched critical flaw in the Microsoft Windows MSHTML platform (CVE-2021-40444) as part of widespread phishing campaigns that involved sending no less than 5,000 business proposal-themed emails per day to 650 targeted organisations worldwide.

Exotic Lily, discovered in September 2021, is said to have been involved in data exfiltration and the deployment of the human-operated Conti and Diavol ransomware strains both of which have overlaps with the Russian cybercriminal syndicate known as Wizard Spider, which is also responsible for TrickBot, BazarBackdoor and Anchor.

The threat actor’s social engineering lures, sent from spoofed email accounts, have specifically targeted the IT, cybersecurity and healthcare sectors, though the attacks have become more indiscriminate since November 2021, targeting a wide range of organisations and industries.

Exotic Lily has used legitimate file-sharing services like WeTransfer, TransferNow, and OneDrive to deliver BazarBackdoor payloads in order to avoid detection mechanisms in addition to using fictitious companies and identities to build trust with the targeted entities.

At the final stage, the attacker would upload the payload to a public file-sharing service and then use a built-in email notification feature to share the file with the target, allowing the final email to originate from a legitimate file-sharing service’s email address rather than the attacker’s email address, which presents additional detection challenges.

The MHTML exploit is also used to deliver a custom loader called Bumblebee which is managed to gather and exfiltrate system information to a remote server, which responds with commands to execute shellcode and run next-stage executables, including Cobalt Strike.

Finally the researchers concluded that ,” EXOTIC LILY appears to operate as a separate entity, focusing on gaining initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors.”

Indicators of Compromise

  • conlfex[.]com
  • avrobio[.]co
  • elemblo[.]com
  • phxmfg[.]co
  • modernmeadow[.]co
  • lsoplexis[.]com
  • craneveyor[.]us
  • faustel[.]us
  • lagauge[.]us
  • missionbio[.]us
  • richllndmetals[.]com
  • kvnational[.]us
  • prmflltration[.]com
  • brightlnsight[.]co
  • belcolnd[.]com
  • awsblopharma[.]com
  • amevida[.]us
  • revergy[.]us
  • al-ghurair[.]us
  • opontia[.]us

BazarLoader ISO samples:

  • 5ceb28316f29c3912332065eeaaebf59f10d79cd9388ef2a7802b9bb80d797be
  • 9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269
  • c896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7

Recent BUMBLEBEE ISO samples:

  • 9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32
  • 6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8
  • 201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9
  • 1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd
  • 01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225


  • 23.81.246[.]187:443

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s