Rewterz Threat Alert – EXOTIC LILY Linked to Conti – Active IOCs – Russian-Ukrainian Cyber Warfare

Severity

High

Analysis Summary

Initial Access Brokers (IAB) are the “opportunistic locksmiths” of the cybersecurity world. They gain access to a victim’s networks and then sell the access to the highest bidder. The rise in ransomware can be attributed to the increase in IABs as well. They often gain access by exploiting remote management software, remote desktop protocol, or through brute force attacks. They present cybercriminals with ready access to corporate networks. And instead of the threat actors spending their time, resources, and manpower, the IAB does it for them. The attackers then have a variety of options to continue: picking victims based on their country, sector, and revenue.

EXOTIC LILY is one such IAB that has been closely linked with Conti and Diavol. At its peak, EXOTIC LILY sent more than 5,000 emails per day, to up to 650 targeted organizations. They target the IT and cybersecurity sector. Their TTPs include spoofing employees of targeted companies as a means of gaining trust through email campaigns. They also use legitimate file-sharing services like TransferNow, OneDrive, and WeTransfer to deliver payloads.

From Google TAG

For building credibility they use domain name identical to a real one with only the TLD changed to “.us”, “.biz”, or “.co”.

Example of an EXOTIC LILY phishing email impersonating as an employee of a legitimate company

“We believe the shift to deliver BazarLoader, along with some other indicators such as a unique Cobalt Strike profile further confirms the existence of a relationship between EXOTIC LILY and actions of a Russian cyber crime group tracked as WIZARD SPIDER (CrowdStrike), FIN12 (Mandiant, FireEye) and DEV-0193 (Microsoft).” the researchers concluded. “While the nature of those relationships remains unclear, EXOTIC LILY seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors.”

Impact

• Data Loss
• File Encryption
• Financial Loss
• Cyber Espionage

Indicators of Compromise

Domain Name

• conlfex[.]com
• avrobio[.]co
• elemblo[.]com
• phxmfg[.]co
• modernmeadow[.]co
• lsoplexis[.]com
• craneveyor[.]us
• faustel[.]us
• lagauge[.]us
• missionbio[.]us
• richllndmetals[.]com
• kvnational[.]us
• prmflltration[.]com
• brightlnsight[.]co
• belcolnd[.]com
• awsblopharma[.]com
• amevida[.]us
• revergy[.]us
• al-ghurair[.]us
• opontia[.]us

Remediation

• Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner.
• 2FA – Enable two-factor authentication.
• Patch – Patch and upgrade any platforms and software timely. Prioritize patching known exploited vulnerabilities.
• WAF – Set up a Web Application Firewall with rules to block suspicious and malicious requests.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are
• not publicly accessible.
• Passwords – Implement strong passwords.
• Logging – Log your eCommerce environment’s network activity and web server activity.