EXOTIC LILY

EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.[1]

ID: G1011
Contributors: Phill Taylor, BT Security
Version: 1.0
Created: 18 August 2022
Last Modified: 24 October 2022

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

EXOTIC LILY has registered domains to spoof targeted organizations by changing the top-level domain (TLD) to ".us", ".co" or ".biz".[1]

Enterprise T1585 .001 Establish Accounts: Social Media Accounts

EXOTIC LILY has established social media profiles to mimic employees of targeted companies.[1]

.002 Establish Accounts: Email Accounts

EXOTIC LILY has created e-mail accounts to spoof targeted organizations.[1]

Enterprise T1203 Exploitation for Client Execution

EXOTIC LILY has used malicious documents containing exploits for CVE-2021-40444 affecting Microsoft MSHTML.[1]

Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

EXOTIC LILY has gathered targeted individuals' e-mail addresses through open source research and website contact forms.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

EXOTIC LILY conducted an e-mail thread-hijacking campaign with malicious ISO attachments.[1][2]

.002 Phishing: Spearphishing Link

EXOTIC LILY has relied on victims to open malicious links in e-mails for execution.[1]

.003 Phishing: Spearphishing via Service

EXOTIC LILY has used the e-mail notification features of legitimate file sharing services for spearphishing.[1]

Enterprise T1597 Search Closed Sources

EXOTIC LILY has searched for information on targeted individuals on business databases including RocketReach and CrunchBase.[1]

Enterprise T1593 .001 Search Open Websites/Domains: Social Media

EXOTIC LILY has copied data from social media sites to impersonate targeted individuals.[1]

Enterprise T1594 Search Victim-Owned Websites

EXOTIC LILY has used contact forms on victim websites to generate phishing e-mails.[1]

Enterprise T1608 .001 Stage Capabilities: Upload Malware

EXOTIC LILY has uploaded malicious payloads to file-sharing services including TransferNow, TransferXL, WeTransfer, and OneDrive.[1]

Enterprise T1204 .001 User Execution: Malicious Link

EXOTIC LILY has used malicious links to lure users into executing malicious payloads.[1]

.002 User Execution: Malicious File

EXOTIC LILY has gained execution through victims clicking on malicious LNK files contained within ISO files, which can execute hidden DLLs within the ISO.[1][2]

Enterprise T1102 Web Service

EXOTIC LILY has used file-sharing services including WeTransfer, TransferNow, and OneDrive to deliver payloads.[1]

Software

ID Name References Techniques
S0534 Bazar [1] Account Discovery: Domain Account, Account Discovery: Local Account, Application Layer Protocol: Web Protocols, BITS Jobs, Boot or Logon Autostart Execution: Winlogon Helper DLL, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Data from Local System, Deobfuscate/Decode Files or Information, Domain Trust Discovery, Dynamic Resolution: Domain Generation Algorithms, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Fallback Channels, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Indicator Removal: Clear Persistence, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Masquerading: Masquerade Task or Service, Masquerading: Double File Extension, Multi-Stage Channels, Native API, Network Share Discovery, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Dynamic API Resolution, Obfuscated Files or Information: Software Packing, Phishing: Spearphishing Link, Process Discovery, Process Injection, Process Injection: Process Doppelgänging, Process Injection: Process Hollowing, Query Registry, Remote System Discovery, Scheduled Task/Job: Scheduled Task, Software Discovery: Security Software Discovery, Software Discovery, Subvert Trust Controls: Code Signing, System Information Discovery, System Location Discovery: System Language Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery, User Execution: Malicious Link, Virtualization/Sandbox Evasion, Virtualization/Sandbox Evasion: Time Based Evasion, Web Service, Windows Management Instrumentation
S1039 Bumblebee [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Archive Collected Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Data Encoding: Standard Encoding, Data from Local System, Debugger Evasion, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Fallback Channels, Indicator Removal: File Deletion, Ingress Tool Transfer, Inter-Process Communication: Component Object Model, Masquerading: Match Legitimate Name or Location, Native API, Obfuscated Files or Information, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Asynchronous Procedure Call, Process Injection, Query Registry, Scheduled Task/Job: Scheduled Task, Shared Modules, Software Discovery: Security Software Discovery, System Binary Proxy Execution: Odbcconf, System Binary Proxy Execution: Rundll32, System Information Discovery, System Owner/User Discovery, User Execution: Malicious Link, User Execution: Malicious File, Virtualization/Sandbox Evasion: System Checks, Virtualization/Sandbox Evasion: Time Based Evasion, Virtualization/Sandbox Evasion, Web Service, Windows Management Instrumentation

References