Google published an analysis of the activities of an initial access broker (IAB) linked to a Russian-speaking cybercrime group known as FIN12 and Wizard Spider on Thursday.
This financially motivated group, which Google tracks as Exotic Lily, specialises in compromising targets to provide access to other threat actors. Its activities are closely linked to data exfiltration and the deployment of ransomware such as Conti and Diavol, and there are some overlaps with BazarLoader and TrickBot distribution.
Exotic Lily was likely sending over 5,000 phishing emails per day at its peak, targeting approximately 650 organisations worldwide, primarily in the cybersecurity, healthcare, and IT sectors.
To avoid detection, the group employs tactics, techniques, and procedures (TTPs) typically associated with more targeted attacks, such as spoofing of companies and employees, and uses file-sharing services for payload delivery.
Exotic Lily has been tracked by Google’s Threat Analysis Group (TAG) since September 2021, when the hackers were observed targeting CVE-2021-40444, a zero-day vulnerability in Microsoft MSHTML, and the group’s attack chain has remained relatively consistent.
Google researchers have discovered a new phishing group, Exotic Lily, which creates entirely fake personas to pose as employees of a real company. The group then starts sending spear-phishing emails using spoofed email accounts, and even attempts to schedule a meeting with the target. At the final stage, a payload hosted on a public file-sharing service is sent to the victim.
The group known as Exotic Lily, or FIN12, seems to operate as a separate entity from the group behind the Conti and Diavol attacks. Initially relying on CVE-2021-40444 exploits, the group has switched to the use of ISO files containing BazarLoader DLLs and LNK shortcuts. The samples appear to have been custom built for this group only.
