TAG researchers Vlad Stolyarov reported that ,” Initial access brokers are the opportunistic locksmiths of the security world .These groups specialise in breaching a target in order to provide the malicious actor with access to the doors or the Windows.” TAG has launched a new initial access broker that it claims is closely associated with a Russian cybercrime gang known for its Conti and Diavol ransomware operations.
Exotic Lily, a financially motivated threat actor, was observed exploiting a now-patched critical flaw in the Microsoft Windows MSHTML platform (CVE-2021-40444) as part of widespread phishing campaigns that involved sending no less than 5,000 business proposal-themed emails per day to 650 targeted organisations worldwide.
Exotic Lily, discovered in September 2021, is said to have been involved in data exfiltration and the deployment of the human-operated Conti and Diavol ransomware strains both of which have overlaps with the Russian cybercriminal syndicate known as Wizard Spider, which is also responsible for TrickBot, BazarBackdoor and Anchor.
The threat actor’s social engineering lures, sent from spoofed email accounts, have specifically targeted the IT, cybersecurity and healthcare sectors, though the attacks have become more indiscriminate since November 2021, targeting a wide range of organisations and industries.
Exotic Lily has used legitimate file-sharing services like WeTransfer, TransferNow, and OneDrive to deliver BazarBackdoor payloads in order to avoid detection mechanisms in addition to using fictitious companies and identities to build trust with the targeted entities.
At the final stage, the attacker would upload the payload to a public file-sharing service and then use a built-in email notification feature to share the file with the target, allowing the final email to originate from a legitimate file-sharing service’s email address rather than the attacker’s email address, which presents additional detection challenges.
The MHTML exploit is also used to deliver a custom loader called Bumblebee which is managed to gather and exfiltrate system information to a remote server, which responds with commands to execute shellcode and run next-stage executables, including Cobalt Strike.
Finally the researchers concluded that ,” EXOTIC LILY appears to operate as a separate entity, focusing on gaining initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors.”
Indicators of Compromise
BazarLoader ISO samples:
Recent BUMBLEBEE ISO samples:
Recent BUMBLEBEE C2: