NetWitness Community

Background

In September 2021, Google TAG Researchers shared their observations about a threat actor they referred to as EXOTIC LILY, classifying them as Initial Access Brokers (IABs), working closely with Russian Cyber Crime Gang FIN12 (FireEye). Activity by Exotic Lily overlaps with a threat actor being tracked as DEV-0413 (Microsoft).

IABs are extremely ambitious groups specialized in breaking into a target network to open backdoors for other interested threat actors. IABs work differently than a Ransomware as a Service (RaaS) business model and the TTPs observed in these campaigns are traditionally associated with more targeted attacks.

During its initial run in September 2021, Exotic Lily was observed to be working for Conti & Diavol Ransomware Operators. Their initial vector was at that point (and probably still is) phishing emails, targeting various industries such as IT, Healthcare and Cybersecurity, but this focus changed over time. The threat actor would use spoofed email addresses to deliver spear phishing emails themed as business proposals, following which payloads were uploaded to public file-sharing services and used built-in email features to evade detection. These email campaigns were carried by human operators from the group most likely based out of Europe.

Researchers identified that the threat actor moved on from the exploitation of Microsoft’s MSHTML RCE Vulnerability: CVE-2021-40444 to delivery of malicious ISOs containing the infamous BazarLoader.

Recent Developments

In March 2022, Exotic Lily continued delivering malicious ISOs, but this time with a different and more advanced downloader called Bumblebee.

Bumblebee uses WMI to collect the target’s system information, OS version, users, and domain name. Bumblebee was also observed to fetch Cobalt Strike payloads.

Researchers at Proofpoint detailed about this malware in their recent blog post.

NetWitness Detections

Understanding the importance of detecting these exploitation methods used by the threat actors, the NetWitness Platform offers endpoint-based application rules that aid in identifying not just Exotic Lily’s malicious activity, but other adversaries as well that might employ similar techniques.

• [Community] Exotic Lily - Known Loader User Agent
• [Community] Exotic Lily - Internal Data Collection
• [Community] Exotic Lily - Collects Device Information
• [Community] Suspicious Call by Ordinal
• [Community] Bumblebee - Known Execution Attempt
• Cmd or Powershell Runs RunDLL32 with No Arguments
• Scripting Engine Runs Rundll32

Conclusion

Exotic Lily operates as a separate entity, focusing on initial access through email campaigns, with follow-up activities like deployment of ransomware, which are performed by a distinct set of adversaries.

NetWitness can aid in identifying the presence of this threat within an environment so that one may respond to it prior to the adversary causing major loss in the form of intellectual property exfiltration and/or finances.

Indicators of Compromise (IOCs)

• https://www.virustotal.com/gui/collection/55ef10a1ff5363ec2272ba135e7974fcfda7fc7989e84e65dfb76797a165c3f5
• https://www.virustotal.com/gui/search/behavior_network%253Abumblebee%2520(type%253Apeexe%2520OR%2520type%253Apedll)/files
• https://bazaar.abuse.ch/browse.php?search=tag%3AEXOTICLILY

References

• Meet Exotic Lily, access broker for ransomware and other malware peddlers
• New Bumblebee malware replaces Conti's BazarLoader in cyberattacks