Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Google Exposes Initial Access Broker Ties to Ransomware

Broker Provides Services to Conti, Diavol Ransomware Groups
Google Exposes Initial Access Broker Ties to Ransomware

Researchers have uncovered a full-time initial-access broker group that serves both the Conti and Diavol ransomware groups.

See Also: OnDemand | The Cost of Underpreparedness to Your Business

Google's Threat Analysis Group - TAG - observed this financially motivated threat actor, dubbed Exotic Lily, exploiting a zero-day in Microsoft MSHTML tracked as CVE-2021-40444.

"Investigating this group's activity, we determined they are an Initial Access Broker who appear to be working with the Russian cybercrime gang known as FIN12/Wizard Spider," say Vlad Stolyarov and Benoit Sevens of Google's Threat Analysis Group.

Initial access brokers are the locksmiths of the security world. They specialize in breaching a target to open the doors - or the Windows - to the malicious actor with the highest bid.

Using initial access brokers enables attackers to avoid the time-consuming, laborious process of finding victims and attempting to hack them. Instead, they can choose from a menu of potential victims and pay for remote access credentials that are guaranteed to work.

Exotic Lily

Exotic Lily is a financially motivated group, the TAG researchers say. Its activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware, such as Conti and Diavol.

"At the peak of Exotic Lily's activity, we estimate they were sending more than 5,000 emails a day, to as many as 650 targeted organizations globally. Up until November 2021, the group seemed to be targeting specific industries such as IT, cybersecurity and healthcare, but as of late we have seen them attacking a wide variety of organizations and industries, with less specific focus," the researchers say.

The researchers also observed the threat actor deploying tactics, techniques and procedures that are traditionally associated with more targeted attacks, such as spoofing companies and employees as a means of gaining trust by a targeted organization via email campaigns.

The group also leverages legitimate file-sharing services such as WeTransfer, TransferNow and OneDrive to deliver the payload, further evading detection mechanisms.

"This level of human interaction is rather unusual for cybercrime groups focused on mass-scale operations," the researchers say.

Spoofing Identities

One of the group's key techniques involves the use of domain and identity spoofing as a way to gain additional credibility with a targeted organization.

"In the majority of cases, a spoofed domain name was identical to a real domain name of an existing organization, with the only difference being a change of TLD to '.us', '.co' or '.biz'. The group would create entirely fake personas posing as employees of a real company. That would sometimes consist of creating social media profiles, personal websites and generating a fake profile picture using public service to create an AI-generated human face," the researchers say.

The researchers found that in November 2021, the group started impersonating real company employees by copying their personal data from social media and business databases such as RocketReach and Crunchbase.

Using spoofed email accounts, attackers then started sending spear-phishing emails under the pretext of a business proposal. They would also engage with the target by attempting to schedule a meeting to discuss the project's design or requirements.

In the final stage of the attack, the attacker uploads the payload to a public file-sharing service - TransferNow, TransferXL, WeTransfer or OneDrive - allowing the final email to originate from the email address of a legitimate file-sharing service and not the attacker’s email, which presents additional detection challenges, the researchers say.

Attack chain identified by Google (Source: Google TAG website)

Google's TAG team says evidence suggests that this campaign is human-operated phishing at scale, in which the operator’s role includes:

  • Customizing the initial "business proposal" templates when first contacting a targeted organization;
  • Handling further communications to gain affinity and trust;
  • Uploading malware to a file-sharing service prior to sharing it with the target.

Further breakdown of the threat actor's communication activity shows that the operators are working a typical 9-to-5 job. In addition, researchers claim that the distribution of the actor's working hours suggests that they might be working from a Central or Eastern European time zone.

Example of a fake social media profile created by threat actors (Source: Google TAG website)


This campaign first gained the attention of researchers with the use of documents containing an exploit for CVE-2021-40444; the attackers later switched to the delivery of ISO files with hidden BazarLoader DLLs and LNK shortcuts.

"These samples have some indicators that suggest they were custom-built to be used by the group. For example, metadata embedded in the LNK shortcuts shows that a number of fields, such as the 'Machine Identifier' and 'Drive Serial Number' were shared with BazarLoader ISOs distributed via other means, however, other fields such as the command line arguments were unique for samples distributed by Exotic Lily," the researchers say.

In March, the group continued delivering ISO files, which Google researchers say contained a DLL, a custom loader and a more advanced variant of a first-stage payload previously seen during CVE-2021-40444 exploitation. It can be recognized using a unique user-agent "bumblebee" that both variants share.

"The malware, hence dubbed Bumblebee, uses WMI to collect various system details such as OS version, user name and domain name, which are then exfiltrated in JSON format to a command and control. In response, it expects to receive one of the several supported "tasks", which include execution of shellcode, dropping and running executable files. At the time of the analysis, bumblebee was observed to fetch Cobalt Strike payloads," the researchers say.

The researchers also state that the activities of Exotic Lily overlap with a group tracked as DEV-0413 by Microsoft and were also described by Abnormal Security in a recent post. Earlier reports of attacks exploiting CVE-2021-40444 have indicated overlaps between domains involved in the delivery chain of an exploit and infrastructure used for BazarLoader and TrickBot distribution, they say.

"We believe the shift to deliver BazarLoader, along with some other indicators such as a unique Cobalt Strike profile further confirms the existence of a relationship between Exotic Lily and actions of a Russian cybercrime group tracked as WIZARD SPIDER, FIN12 and DEV-0193. While the nature of those relationships remains unclear, this group seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors," the researchers say.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.