This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Exotic Lily: Global Activity Analysis

Exotic Lily: Global Activity Analysis

Sarthak
Occasional Contributor Sarthak Occasional Contributor
Occasional Contributor
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
2 weeks ago

Background


In September 2021, Google TAG Researchers shared their observations about a threat actor they referred to as EXOTIC LILY, classifying them as Initial Access Brokers (IABs), working closely with Russian Cyber Crime Gang FIN12 (FireEye). Activity by Exotic Lily overlaps with a threat actor being tracked as DEV-0413 (Microsoft).

 

IABs are extremely ambitious groups specialized in breaking into a target network to open backdoors for other interested threat actors. IABs work differently than a Ransomware as a Service (RaaS) business model and the TTPs observed in these campaigns are traditionally associated with more targeted attacks.

 

During its initial run in September 2021, Exotic Lily was observed to be working for Conti & Diavol Ransomware Operators. Their initial vector was at that point (and probably still is) phishing emails, targeting various industries such as IT, Healthcare and Cybersecurity, but this focus changed over time. The threat actor would use spoofed email addresses to deliver spear phishing emails themed as business proposals, following which payloads were uploaded to public file-sharing services and used built-in email features to evade detection. These email campaigns were carried by human operators from the group most likely based out of Europe.

 

Researchers identified that the threat actor moved on from the exploitation of Microsoft’s MSHTML RCE Vulnerability: CVE-2021-40444 to delivery of malicious ISOs containing the infamous BazarLoader.

 

Recent Developments


In March 2022, Exotic Lily continued delivering malicious ISOs, but this time with a different and more advanced downloader called Bumblebee.

 

Bumblebee uses WMI to collect the target’s system information, OS version, users, and domain name. Bumblebee was also observed to fetch Cobalt Strike payloads.

 

Researchers at Proofpoint detailed about this malware in their recent blog post.

 

NetWitness Detections


Understanding the importance of detecting these exploitation methods used by the threat actors, the NetWitness Platform offers endpoint-based application rules that aid in identifying not just Exotic Lily’s malicious activity, but other adversaries as well that might employ similar techniques.

 

  • [Community] Exotic Lily - Known Loader User Agent
  • [Community] Exotic Lily - Internal Data Collection
  • [Community] Exotic Lily - Collects Device Information
  • [Community] Suspicious Call by Ordinal
  • [Community] Bumblebee - Known Execution Attempt
  • Command Shell Runs Rundll32
  • Scripting Engine Runs Rundll32

Conclusion


Exotic Lily operates as a separate entity, focusing on initial access through email campaigns, with follow-up activities like deployment of ransomware, which are performed by a distinct set of adversaries.

 

NetWitness can aid in identifying the presence of this threat within an environment so that one may respond to it prior to the adversary causing major loss in the form of intellectual property exfiltration and/or finances.

 

Indicators of Compromise (IOCs)

  • https://www.virustotal.com/gui/collection/55ef10a1ff5363ec2272ba135e7974fcfda7fc7989e84e65dfb76797a165c3f5
  • https://www.virustotal.com/gui/search/behavior_network%253Abumblebee%2520(type%253Apeexe%2520OR%2520type%253Apedll)/files
  • https://bazaar.abuse.ch/browse.php?search=tag%3AEXOTICLILY

References

  • Meet Exotic Lily, access broker for ransomware and other malware peddlers
  • New Bumblebee malware replaces Conti's BazarLoader in cyberattacks
Labels:
  • Resources
  • Use Cases
  • app rules
  • threat actor research
  • threat content
  • threat detection and response
6 Likes
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
  • Exotic Lily: Global Activity Analysis
  • Threat Research Data Hygiene Exercise: Retirement of Threat Research Intelligence Content and Report...
  • Netwitness Orchestrator Dashboarding Overview
  • Highlights from Recent Releases - Here's What's New in NetWitness Platform 11.7 and 11.7.1
  • NetWitness News Bytes: Improved Broker Query Experience
  • NetWitness News Bytes: Meta Only Event Reconstruction
  • NetWitness News - Press Releases
  • Endpoint Bundle Tuning
Labels
  • Announcements 52
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 56
  • Tutorials 21
  • Use Cases 20
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.