EXOTIC LILY threat group tactics revealed

A group tracked by Google’s Threat Analysis Group (TAG), dubbed ‘EXOTIC LILY’, sent up to 5,000 phishing emails each day with relatively unusual attention to detail, including using domain spoofing and identity and creating fake characters with AI-generated faces. pretending to be employees of a real company).

The group, which TAG says acts as an access broker for ransomware groups, also uses legitimate file-sharing services such as WeTransfer, TransferNow, and OneDrive to deliver the payload undetected by security tools. looking for potentially malicious emails. (The delivered malware then retrieves the Cobalt Strike payloads, TAG said.)

EXOTIC LILY was first spotted mining a Microsoft zero day (CVE-2021-40444) in September 2021. Within months, the “resourceful and financially motivated group” began to pose as real company employees by copying their personal data from social media and commercial databases such as RocketReach and CrunchBase.

(CVE-2021-40444 — check for a fix — impacts Microsoft MHTML, a software component used in Internet Explorer but also used in Office applications to display web-hosted content in Word, Excel, or PowerPoint; attackers typically create a malicious ActiveX control for use by a Microsoft Office document that hosts the browser’s rendering engine to exploit the widely attacked RCE bug.)

EXOTIC LILY threat group uses spoofed domain names

The modus operandi of “EXOTIC LILY”. Credit: TAG

Describing the EXOTIC LILY group as likely to be access brokers (“the opportunistic locksmiths of the security world”) for ransomware groups, TAG said that at its peak in November 2021, the group hit 650 organizations targeted around the world (specifically naming IT, cybersecurity and healthcare businesses as targets) “but lately we’ve seen them attack a wide variety of organizations and industries, with less specific attention .”

“One notable technique is the use of domain and spoofing as a means of gaining additional credibility with a targeted organization. In the majority of cases, a spoofed domain name was identical to a real name of an existing organization’s domain, with the only difference being a change of TLD to “.us”, “.co” or “.biz”, TAG said.

(One of the most alarming attacks The battery was described to us by a red team professional who set up mail servers for typo-squatted domains for around $20, started intercepting all emails destined for a pharmaceutical company and , within a week, had received an email from someone on the “inside” of the company wanting IT support. The Red Teamer simply picked up the phone, said he received the email – “how can we help you”? — installed a remote access tool with the target’s blessing: game over.)

“Although the group initially came to our attention due to their use of documents containing an exploit for CVE-2021-40444, they later switched to delivering ISO files with hidden BazarLoader DLLs and LNK shortcuts,” said TAG: “These samples have indicators that suggest they were custom built for use by the band. For example, metadata embedded in LNK Shortcuts show that a number of fields, such as “Machine Identifier” and “Drive Serial Number” were shared with BazarLoader ISOs distributed by other means, but other fields such as command line arguments were unique to samples distributed by EXOTIC LILY.

local path

“In March, the group continued to ship ISO files, but with a DLL containing a custom loader which is a more advanced variant of a first stage payload previously seen during the CVE-2021-40444 exploit. loader can be recognized by its use of a unique user agent “drone” that both variants share.

“The malware, hence the name BUMBLEBEE, uses WMI to collect various system details such as OS version, username and domain name, which are then exfiltrated in JSON format to a C2 In response, it expects to receive one of many supported “tasks”, which include running shellcode, deleting and running executable files.At the time of analysis, it was observed BUMBLEBEE picking up Cobalt Strike payloads.

TAG has some CIOs and more details here.

In addition to the standard list of tools and techniques to introduce friction to attackers, defenders should consider using tools like BloodHound to map explicit and complex hidden relationships in an Active Directory environment so that Blue Teams can see what attack paths exist in their environments and limit/clean them up before adversaries who have gained a foothold with a phishing attack can exploit them.