EXOTIC LILY - Initial Access Brokers

Industry: Healthcare, Information Technology: Cybersecurity | Level: Tactical | Source: Google TAG

Google's Threat Analysis Group (TAG) reports on the threat actor group, EXOTIC LILY identified as Initial Access Brokers (IAB). The group is observed to be financially motivated with associations to Wizard Spider/FIN12 and ransomware associations with Conti and Diavol. Initial target sectors tracked in November 2021, included healthcare and information technology specifically cybersecurity, however the group since has widened its target groups. Peak activity recorded from the group identified EXOTIC LILY "sending more than 5,000 emails a day, to as many as 650 targeted organizations globally." Tactics observed by the team include targeted phishing campaigns (typically spoofing domains and fake personas), the use of "legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload", payload delivery with" ISO files with hidden BazarLoader DLLs and LNK shortcuts" and exploiting MSHTML vulnerability CVE-2021-40444.

• Anvilogic Use Case: Malicious Document Execution