| SYMBOL | COMMON_NAME | aka. SYNONYMS |
EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. In early September 2021, the group has been obeserved exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigation lead researchers to believe that they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike). This threat actor deploys tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation. Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, namely BUMBLEEBEE and BAZARLOADER, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations.
There are currently no families associated with this actor.
| 2022-03-17 ⋅ Google ⋅ Exposing initial access broker with ties to Conti BazarBackdoor BumbleBee Conti EXOTIC LILY |
| 2021-09-15 ⋅ Microsoft ⋅ Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability EXOTIC LILY |