New cybercriminals called Exotic Lily were recently analyzed by Google’s Threat Analysis Group (TAG). The activity of this financially motivated group has been observed since at least September 2021. After thorough investigation, it is fair to suggest that Exotic Lily cybercrime group is an Initial Access Broker (IAB) that is interested in obtaining unlawful access to organizations’ internal networks in order to sell it multiple times on a black cyber market. Among the most active clients of this cyber gang are the notorious FIN12/WIZARD SPIDER threat actors, as well as Conti and Diavol ransomware maintainers.

The attack vectors of Exotic Lily threat actors have been consistent, according to Google’s researchers. Their phishing campaigns have been exploiting a CVE-2021-40444 vulnerability in Microsoft Windows MSHTML, sending more than 5,000 emails a day to 650 organizations globally. See our newest detection content for this activity below.

Exotic Lily’s Operations Detection

To detect the suspicious activity of the Exotic Lily group in your infrastructure, view a set of dedicated Sigma-based rules available in the SOC Prime’s platform. Make sure to log into the platform or register a new account if you don’t have an existing one to access this ruleset:

Possible EXOTIC LILY Execution with Microsoft MSHTML Vulnerability (CVE-2021-40444) via Rundll32

Suspicious .ISO file dropped (via file_event)

EXOTIC LILY’s loader User-Agent (via proxy)

System information gathering via wmic.exe

Check out more detections from the extensive collection of the SOC Prime’s platform to make sure you spot suspicious activity at various stages of a possible attack chain. For example, the following rules help detect the CVE-2021-40444 vulnerability exploits:

Possible CVE-2021-40444 Exploitation (Microsoft MSHTML Remote Code Execution Vulnerability) (via image_load)

IOCs of Zero Day Attack Detected by EXPMON [CVE-2021-40444 Exploitation] (via cmdline)

Also, don’t forget to check for suspicious activity on hosts:

LOLBAS rundll32 (via cmdline)

LOLBAS rundll32 without expected arguments (via cmdline)

And if you are ready to share your own expertise, you are highly welcome to join our global crowdsourcing initiative and get monetary rewards for your valuable contribution.

View Detections Join Threat Bounty


Activity of Exotic Lily: Analysis

Exotic Lily’s methods in essence are not new, that’s why they have been identifiable for threat intelligence experts. However, identity spoofing that they executed has been highly accurate and in most cases, impossible to distinguish from legitimate emails. Researchers suggest that Exotic Lily spear-phishing campaigns have been conducted by hand, not automatically. The most likely location of the attackers is Central or Eastern Europe and the highest activity has been observed during business hours (from 9:00 AM to 6:00 PM). 

The adversaries started by creating fake personas that corresponded with real and trusted individuals. First, they would create a copy of a legitimate persona’s website with an altered TLD (e.g., .US instead of .COM), followed by social media and email accounts. The emails they sent included business proposals and sometimes were followed by particular discussions, scheduling of a business meeting, etc., to make it believable. 

The final email with a malicious payload was sent using a legitimate file-sharing service like OneDrive, WeTransfer, or TransferNow and shared via a built-in email notification feature. This allowed the malware to evade detection.

In March 2022, Exotic Lily switched to the delivery of custom-built ISO files with hidden BazarLoader DLLs and LNK shortcuts. The latest versions of the hidden DLLs they used include a more advanced variant of an Initial Access payload. Researchers believe that the shift to BazarLoader indicates the existence of Exotic Lily’s relationship with Russian cybercrime groups, such as DEV-0193 (FIN12/WIZARD SPIDER).

Embrace the power of collaborative defense by joining our global cybersecurity community at SOC Prime’s Detection as Code platform. Avail accurate and timely detections made by seasoned professionals from around the world to boost your SOC team’s operations and security posture.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts