Google’s Threat Analysis Group (TAG) unveiled a new initial access broker reportedly tied to a notorious Russian cybercrime gang responsible for devastating Diavol and Conti ransomware campaigns.
Researchers noticed the threat actor, dubbed Exotic Lily, exploiting a critical Microsoft Windows MSHTML vulnerability (CVE-2021-40444) in extensive phishing campaigns, where 650 targeted worldwide organizations received roughly 5,000 business proposal scam emails a day.
Exotic Lily was first spotted in September 2021 and is believed to be linked to data leaks and deployments of the Diavol and Conti ransomware strains. Both ransomware campaigns were human-operated and shared ties with Wizard Spider, a Russian cybercrime organization notorious for its BazarBackdoor, Anchor and TrickBot operations.
“Initial access brokers are the opportunistic locksmiths of the security world, and it’s a full-time job,” according to TAG researchers Benoit Sevens and Vlad Stolyarov. “These groups specialize in breaching a target in order to open the doors — or the Windows — to the malicious actor with the highest bid.”
The perpetrator used spoofed email accounts to deploy social engineering bait. Initially, the attacks seemed to focus on cybersecurity, IT and healthcare organizations, but after November 2021, the threat actor started targeting other industries.
Aside from impersonating fictitious individuals and companies, the attacker relied on trusted, legitimate file-sharing services such as OneDrive, WeTransfer and TransferNow to deploy BazaarBackdoor payloads without arising suspicion.
“At the final stage, the attacker would upload the payload to a public file-sharing service (TransferNow, TransferXL, WeTransfer or OneDrive) and then use a built-in email notification feature to share the file with the target, allowing the final email to originate from the email address of a legitimate file-sharing service and not the attacker’s email, which presents additional detection challenges.”
Besides the payload, the attacker infected compromised systems with a custom loader called Bumblebee, designed to harvest and exfiltrate data to a C2. Consequently, the attacker’s remote server would reply with commands such as running shellcode and next-stage executables such as Cobalt Strike.