1. Home
  2. Groups
  3. EXOTIC LILY

EXOTIC LILY

EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.[1]

ID: G1011
Contributors: Phill Taylor, BT Security
Version: 1.0
Created: 18 August 2022
Last Modified: 24 October 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1203 客户端执行漏洞利用

EXOTIC LILY has used malicious documents containing exploits for CVE-2021-40444 affecting Microsoft MSHTML.[1]
Enterprise T1585 .001 建立账户: Social Media Accounts

EXOTIC LILY has established social media profiles to mimic employees of targeted companies.[1]
.002 建立账户: Email Accounts

EXOTIC LILY has created e-mail accounts to spoof targeted organizations.[1]
Enterprise T1594 搜索受害者拥有的网站

EXOTIC LILY has used contact forms on victim websites to generate phishing e-mails.[1]
Enterprise T1593 .001 搜索开放网站/域: Social Media

EXOTIC LILY has copied data from social media sites to impersonate targeted individuals.[1]
Enterprise T1597 搜索闭源

EXOTIC LILY has searched for information on targeted individuals on business databases including RocketReach and CrunchBase.[1]
Enterprise T1589 .002 收集受害者身份信息: Email Addresses

EXOTIC LILY has gathered targeted individuals' e-mail addresses through open source research and website contact forms.[1]
Enterprise T1608 .001 暂存能力: Upload Malware

EXOTIC LILY has uploaded malicious payloads to file-sharing services including TransferNow, TransferXL, WeTransfer, and OneDrive.[1]
Enterprise T1204 .001 用户执行: Malicious Link

EXOTIC LILY has used malicious links to lure users into executing malicious payloads.[1]
.002 用户执行: Malicious File

EXOTIC LILY has gained execution through victims clicking on malicious LNK files contained within ISO files, which can execute hidden DLLs within the ISO.[1][2]
Enterprise T1102 网络服务

EXOTIC LILY has used file-sharing services including WeTransfer, TransferNow, and OneDrive to deliver payloads.[1]
Enterprise T1583 .001 获取基础设施: Domains

EXOTIC LILY has registered domains to spoof targeted organizations by changing the top-level domain (TLD) to ".us", ".co" or ".biz".[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

EXOTIC LILY conducted an e-mail thread-hijacking campaign with malicious ISO attachments.[1][2]
.002 钓鱼: Spearphishing Link

EXOTIC LILY has relied on victims to open malicious links in e-mails for execution.[1]
.003 钓鱼: Spearphishing via Service

EXOTIC LILY has used the e-mail notification features of legitimate file sharing services for spearphishing.[1]

Software

ID Name References Techniques
S0534 Bazar [1] BITS任务, Windows管理规范, 从本地系统获取数据, 伪装: Match Legitimate Name or Location, 伪装: Masquerade Task or Service, 伪装: Double File Extension, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 动态解析: Domain Generation Algorithms, 反混淆/解码文件或信息, 启动或登录自动启动执行: Winlogon Helper DLL, 启动或登录自动启动执行: Shortcut Modification, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 回退信道, 域信任发现, 多阶段信道, 妨碍防御: Disable or Modify Tools, 应用层协议: Web Protocols, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Dynamic API Resolution, 混淆文件或信息: Software Packing, 用户执行: Malicious Link, 移除指标: Clear Persistence, 移除指标: File Deletion, 系统位置发现: System Language Discovery, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统网络配置发现, 网络共享发现, 网络服务, 虚拟化/沙盒规避, 虚拟化/沙盒规避: Time Based Evasion, 账号发现: Domain Account, 账号发现: Local Account, 软件发现: Security Software Discovery, 软件发现, 输入工具传输, 进程发现, 进程注入, 进程注入: Process Doppelgänging, 进程注入: Process Hollowing, 远程系统发现, 钓鱼: Spearphishing Link, 预定任务/作业: Scheduled Task, 颠覆信任控制: Code Signing
S1039 Bumblebee [1] Windows管理规范, 从本地系统获取数据, 伪装: Match Legitimate Name or Location, 共享模块, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 回退信道, 归档收集数据, 数据编码: Standard Encoding, 本机API, 查询注册表, 混淆文件或信息, 滥用权限提升控制机制: Bypass User Account Control, 用户执行: Malicious Link, 用户执行: Malicious File, 移除指标: File Deletion, 系统二进制代理执行: Odbcconf, 系统二进制代理执行: Rundll32, 系统信息发现, 系统所有者/用户发现, 网络服务, 虚拟化/沙盒规避: System Checks, 虚拟化/沙盒规避: Time Based Evasion, 虚拟化/沙盒规避, 调试器规避, 软件发现: Security Software Discovery, 输入工具传输, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Asynchronous Procedure Call, 进程注入, 进程间通信: Component Object Model, 通过C2信道渗出, 钓鱼: Spearphishing Link, 钓鱼: Spearphishing Attachment, 预定任务/作业: Scheduled Task

References

  1. Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.
  1. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.