Chris Swagler | March 22nd, 2022

The operations of a threat actor called “EXOTIC LILY,” an initial access broker with connections to the Conti and Diavol ransomware operations were exposed by a threat analysis group. EXOTIC LILY was discovered exposing a zero-day vulnerability in Microsoft MSHTML (CVE-2021-40444), which sparked the interest of the researchers as a potentially sophisticated threat actor. Following additional investigations, it was discovered that EXOTIC LILY breaches targeted corporate networks using large-scale phishing campaigns and sells access to those networks to ransomware groups. EXOTIC LILY was sending over 5,000 emails to 650 businesses in a single day at its peak.

The Threat Analysis Group (TAG) investigating EXOTIC LILY discovered the threat actors work largely from 9:00 am to 5:00 pm on weekdays and log relatively little activity on weekends. Even though it seems unusual for cybercriminals to work a regular 9 to 5 job, recent Conti leaks reveal that many threat actors operate like businesses, requesting days off, reporting to managers, and receiving salaries. Group members perform backend technical tasks, including customizing business proposal templates or uploading malware payloads to legitimate file-sharing services before sharing links with targets. The attack chain, from an operational perspective, follows a strict form beginning with registering a faked domain then utilizing it to send emails, establish a relationship with the target, and share a payload through a file-hosting service. The domains used are identical to the faked organization’s actual domain name, however, they’re registered on different TLDs like “.us,” “.co,” or “.biz”

The actors obtain the targets’ email addresses through open-source intelligence or send a fake proposal using the website’s contact form. EXOTIC LILY operators can create fake LinkedIn accounts claiming fraudulently they work at the organization, using AI-generated or stolen images from actual employees. This gives the false image of legitimacy while keeping initial communications focused on the proposal’s design or service requirements. According to TAG, the attackers share a download link through TransferNow, TransferXL, WeTransfer, or OneDrive once the victim lowers their guard, then leads them to the BazarLoader malware download. These identical file-sharing sites were used in a similar BazarLoader phishing campaign.

The group’s malware was discovered in the form of a document file attempting to exploit the CVE-2021-40444 vulnerability. The threat actor switched the delivery form to ISO archives containing BazarLoader DDLs and LNK shortcuts. Customization was discovered in these samples by the investigators; however, this might have been done by other actors who delivered the malware to EXOTIC LILY. The group continued to use ISO files, but added a DLL containing a custom loader, an advanced form of the prior first-stage loader. The malware strain “Bumblebee” is dropped by the loader, and it uses WMI to acquire system information and exfiltrate it to the C2. Additionally, Bumblebee can receive commands from remote actors, download and run extra payloads and files fetched are Cobalt Strike.

Even though EXOTIC LILY’s activities are like Conti’s own operations, the threat analysts believe it’s a different threat actor focused solely on establishing the initial network access. Although the nature of the relationships with other groups remains unclear, EXOTIC LILY appears to operate as a separate entity, focusing on obtaining initial access through email campaigns, with follow-up activities including deploying Conti and Diavol ransomware, which are performed by different actors.

It’s worth mentioning that the recent release of Conti’s internal messages reveals a thriving crime organization with different departments having different roles and central coordination. Additionally, the Conti operation has a strong connection to the TrickBot organization and its malware operations, including Diavol, TrickBot, BazarBackdoor, and Anchor. Researchers discovered that the Conti ransomware operation has gained control of TrickBot’s malware development, which is corroborated by conversations between Conti managers exposed in the Conti leaks. It wouldn’t be surprising if Conti had its own internal teams dedicated to high-level spear phishing and initial network access that deployed these infections.

Even though it’s possible that the Conti operation is behind the spamming operation, TAG explains that the lack of discussion about spamming in the Conti leaks indicates it’s an external group. In the leaks, Conti members described spammers as someone who they work with, including providing custom-built “crypted” malware samples, by outsourcing. However, the spammers don’t appear to be present or actively communicating in the chat, concluding that they’re operating as different entities.

With this recent exposure of a ransomware group’s access broker and attack methods and tactics, it’s critical for companies to always remain ahead of the current threat landscape and enhance their network security posture. At SpearTip, our advisory services quickly identify the risks that matter in real-world cyberattacks. Our extensive experience in incident response and forensic analysis provides us with knowledge and expertise in the vulnerabilities being used by ransomware groups to exploit companies’ networks. Our certified engineers examine a company’s entire security posture during our cybersecurity risk assessment process and test all vulnerabilities and weaknesses. Our ShadowSpear Platform, our endpoint detection and response tool, provides optimal visibility and prevents ransomware groups like Conti from exploiting networks’ vulnerabilities and stealing sensitive data.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.