Conti ransomware gang has been a headache for companies such as Shutterfly; encrypting and locking the data on the systems and demanding payment to unlock them. Threat Analysis Group of Google has discovered an initial access broker that is linked with Conti and Diavol ransomware gangs.
Sells access to ransomware groups
The initial access broker, which is dubbed as EXOTIC LILY, is used for phishing campaigns to gain access to target company networks; then they are selling those access methods/credentials to the ransomware groups. They were first discovered while exploiting CVE-2021-40444 – Microsoft MSHTML zero-day vulnerability.
The group registers alternative domains for the target companies for spoofing, mostly with .us, .co, or .biz TLDs, then creates e-mail accounts to send phishing e-mails. They also create fake social media accounts with AI-generated human faces.
The unaware employees at the target company who do not check the full e-mail addresses might run the malicious files with payloads; then EXOTIC LILY gains access to the target network. Those files are sent by using popular file-sharing services such as TransferNow, TransferXL, WeTransfer, and OneDrive.
Active in working hours
The group is generally most active between 09:00 and 17:00 on weekdays; targeting the usual working hours of most companies. First, they were using document files with malicious payloads to exploit, but then they switched to ISO files with BazarLoadr DLLs and LNK shortcuts.
EXOTIC LILY group improved its ISO files by using a DLL with a custom loader. This custom loader is a more advanced variant of the first-stage payload for CVE-2021-40444 exploitation; BUMBLEBEE. It uses WMI to collect the system details and sends them to C2.
Google has published the recent fake domains, BazarLoader ISO samples, BUMBLEBEE ISO samples, and the C2 of the BUMBLEBEE malware as well:
BazarLoader ISO samples:
BUMBLEBEE ISO samples: