Exotic Lily: this is the name of the IAB (Initial Access Broker) group on which Google has published a report that highlights the methods of action in the last year. The aim of the hackers is to gain access to corporate networks and then subsequently auction off access to the highest bidder among the cybercriminals concerned.
According to Google’s reconstruction, Exotic Lily’s strategy is more sophisticated than that typical of ransomware groups. To make everything more credible, in fact, the attackers create fake social profiles, for example on LinkedIn (as in the case represented by the image below), using easily available data on real employees in order to create duplicates that can appear authentic. These profiles are associated with forged email accounts with which to start establishing contact with victims, creating a relationship of trust.
When it’s time to strike, the group uses file-sharing services like OneDrive to provide the payload needed to create the preconditions for the ransomware attack, while masking its origins. Exotic Lily also took advantage of an internal zero-day vulnerability in Windows-related MSHTML to bring its attacks to an end – a weakness that Microsoft addressed in a fix released in late 2021.
EUROPEAN HACKERS IN CONTACT WITH THE RUSSO CONTI GROUP
Exotic Lily’s business is particularly large, and according to Google estimates it expects to send more than 5,000 emails a day to 650 organizations around the world. Up until November 2021, the group appeared to be targeting specific sectors such as IT, cybersecurity and healthcare, but in recent times it appears to have expanded its reach by starting to attack a wide variety of organizations and sectors. with a less specific focus.
Mountain View specialists believe Exotic Lily is linked to the infamous Russian ransomware group Conti, which in 2021 alone would have extorted as much as $ 200 million from the targets it hit. And which is currently in crisis due to an insider who leaked a huge amount of internal logs, revealing the tactics adopted by hackers.
As for Exotic Lily, Google noted that “work” paces range from 9 to 5 with little activity over the weekend – an hourly distribution that suggests hackers could be operating in Central or Eastern Europe.