New cybercriminals called Exotic Lily were recently analyzed by Google’s Threat Analysis Group (TAG). The activity of this financially motivated group has been observed since at least September 2021. After thorough investigation, it is fair to suggest that Exotic Lily cybercrime group is an Initial Access Broker (IAB) that is interested in obtaining unlawful access to organizations’ internal networks in order to sell it multiple times on a black cyber market. Among the most active clients of this cyber gang are the notorious FIN12/WIZARD SPIDER threat actors, as well as Conti and Diavol ransomware maintainers.
The attack vectors of Exotic Lily threat actors have been consistent, according to Google’s researchers. Their phishing campaigns have been exploiting a CVE-2021-40444 vulnerability in Microsoft Windows MSHTML, sending more than 5,000 emails a day to 650 organizations globally. See our newest detection content for this activity below.
To detect the suspicious activity of the Exotic Lily group in your infrastructure, view a set of dedicated Sigma-based rules available in the SOC Prime’s platform. Make sure to log into the platform or register a new account if you don’t have an existing one to access this ruleset:
Check out more detections from the extensive collection of the SOC Prime’s platform to make sure you spot suspicious activity at various stages of a possible attack chain. For example, the following rules help detect the CVE-2021-40444 vulnerability exploits:
Also, don’t forget to check for suspicious activity on hosts:
And if you are ready to share your own expertise, you are highly welcome to join our global crowdsourcing initiative and get monetary rewards for your valuable contribution.
Exotic Lily’s methods in essence are not new, that’s why they have been identifiable for threat intelligence experts. However, identity spoofing that they executed has been highly accurate and in most cases, impossible to distinguish from legitimate emails. Researchers suggest that Exotic Lily spear-phishing campaigns have been conducted by hand, not automatically. The most likely location of the attackers is Central or Eastern Europe and the highest activity has been observed during business hours (from 9:00 AM to 6:00 PM).
The adversaries started by creating fake personas that corresponded with real and trusted individuals. First, they would create a copy of a legitimate persona’s website with an altered TLD (e.g., .US instead of .COM), followed by social media and email accounts. The emails they sent included business proposals and sometimes were followed by particular discussions, scheduling of a business meeting, etc., to make it believable.
The final email with a malicious payload was sent using a legitimate file-sharing service like OneDrive, WeTransfer, or TransferNow and shared via a built-in email notification feature. This allowed the malware to evade detection.
In March 2022, Exotic Lily switched to the delivery of custom-built ISO files with hidden BazarLoader DLLs and LNK shortcuts. The latest versions of the hidden DLLs they used include a more advanced variant of an Initial Access payload. Researchers believe that the shift to BazarLoader indicates the existence of Exotic Lily’s relationship with Russian cybercrime groups, such as DEV-0193 (FIN12/WIZARD SPIDER).
Embrace the power of collaborative defense by joining our global cybersecurity community at SOC Prime’s Detection as Code platform. Avail accurate and timely detections made by seasoned professionals from around the world to boost your SOC team’s operations and security posture.