Google TAG: EXOTIC LILY works with Conti and others as Initial Access Broker (AIB)

EXOTIC LILY hackers are working with Conti ransomware gang and others as Initial Access Broker (AIB). It has been unveiled by Google’s Threat Analysis Group (TAG) cybersecurity experts. TAG observed EXOTIC LILY exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigating this activity, researchers determined they are an IAB who appear to be working with the Russian cybercrime gang FIN12 (aka WIZARD SPIDER). Initial access brokers are the opportunistic locksmiths of the security world, and it’s a full-time job. These groups specialize in breaching a target in order to open the doors—or the Windows—to the malicious actor with the highest bid. EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol.

The cybersecurity experts: The group, apart from traditional TTPs, leverages legitimate file-sharing services to deliver malware

EXOTIC LILY, at the peak of its activity, sent more than 5,000 emails a day, to as many as 650 targeted organizations globally. Up until November 2021, the cybercrime group seemed to be targeting specific industries such as IT, cybersecurity and healthcare, but as of late they attacked a wide variety of organizations and industries, with less specific focus. The threat actor tactics, techniques and procedures (TTPs) are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation. Additionally, and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the malware, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber criminals focused on mass scale operations.