Initial Access Brokers (IAB) are the “opportunistic locksmiths” of the cybersecurity world. They gain access to a victim’s networks and then sell the access to the highest bidder. The rise in ransomware can be attributed to the increase in IABs as well. They often gain access by exploiting remote management software, remote desktop protocol, or through brute force attacks. They present cybercriminals with ready access to corporate networks. And instead of the threat actors spending their time, resources, and manpower, the IAB does it for them. The attackers then have a variety of options to continue: picking victims based on their country, sector, and revenue.
EXOTIC LILY is one such IAB that has been closely linked with Conti and Diavol. At its peak, EXOTIC LILY sent more than 5,000 emails per day, to up to 650 targeted organizations. They target the IT and cybersecurity sector. Their TTPs include spoofing employees of targeted companies as a means of gaining trust through email campaigns. They also use legitimate file-sharing services like TransferNow, OneDrive, and WeTransfer to deliver payloads.
From Google TAG
For building credibility they use domain name identical to a real one with only the TLD changed to “.us”, “.biz”, or “.co”.
Example of an EXOTIC LILY phishing email impersonating as an employee of a legitimate company
“We believe the shift to deliver BazarLoader, along with some other indicators such as a unique Cobalt Strike profile further confirms the existence of a relationship between EXOTIC LILY and actions of a Russian cyber crime group tracked as WIZARD SPIDER (CrowdStrike), FIN12 (Mandiant, FireEye) and DEV-0193 (Microsoft).” the researchers concluded. “While the nature of those relationships remains unclear, EXOTIC LILY seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors.”