This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Exotic Lily: Global Activity Analysis

Sarthak
Occasional Contributor Occasional Contributor
Occasional Contributor
2 weeks ago

Background


In September 2021, Google TAG Researchers shared their observations about a threat actor they referred to as EXOTIC LILY, classifying them as Initial Access Brokers (IABs), working closely with Russian Cyber Crime Gang FIN12 (FireEye). Activity by Exotic Lily overlaps with a threat actor being tracked as DEV-0413 (Microsoft).

 

IABs are extremely ambitious groups specialized in breaking into a target network to open backdoors for other interested threat actors. IABs work differently than a Ransomware as a Service (RaaS) business model and the TTPs observed in these campaigns are traditionally associated with more targeted attacks.

 

During its initial run in September 2021, Exotic Lily was observed to be working for Conti & Diavol Ransomware Operators. Their initial vector was at that point (and probably still is) phishing emails, targeting various industries such as IT, Healthcare and Cybersecurity, but this focus changed over time. The threat actor would use spoofed email addresses to deliver spear phishing emails themed as business proposals, following which payloads were uploaded to public file-sharing services and used built-in email features to evade detection. These email campaigns were carried by human operators from the group most likely based out of Europe.

 

Researchers identified that the threat actor moved on from the exploitation of Microsoft’s MSHTML RCE Vulnerability: CVE-2021-40444 to delivery of malicious ISOs containing the infamous BazarLoader.

 

Recent Developments


In March 2022, Exotic Lily continued delivering malicious ISOs, but this time with a different and more advanced downloader called Bumblebee.

 

Bumblebee uses WMI to collect the target’s system information, OS version, users, and domain name. Bumblebee was also observed to fetch Cobalt Strike payloads.

 

Researchers at Proofpoint detailed about this malware in their recent blog post.

 

NetWitness Detections


Understanding the importance of detecting these exploitation methods used by the threat actors, the NetWitness Platform offers endpoint-based application rules that aid in identifying not just Exotic Lily’s malicious activity, but other adversaries as well that might employ similar techniques.

 

  • [Community] Exotic Lily - Known Loader User Agent
  • [Community] Exotic Lily - Internal Data Collection
  • [Community] Exotic Lily - Collects Device Information
  • [Community] Suspicious Call by Ordinal
  • [Community] Bumblebee - Known Execution Attempt
  • Command Shell Runs Rundll32
  • Scripting Engine Runs Rundll32

Conclusion


Exotic Lily operates as a separate entity, focusing on initial access through email campaigns, with follow-up activities like deployment of ransomware, which are performed by a distinct set of adversaries.

 

NetWitness can aid in identifying the presence of this threat within an environment so that one may respond to it prior to the adversary causing major loss in the form of intellectual property exfiltration and/or finances.

 

Indicators of Compromise (IOCs)

References

© 2022 RSA Security LLC or its affiliates. All rights reserved.