Google’s Threat Analysis Group (TAG) describes a cybercriminal group it calls “EXOTIC LILY” that acts as an initial access broker for numerous financially motivated threat actors, including FIN12 and the Conti ransomware gang. EXOTIC LILY uses phishing attacks to gain access to organizations’ networks, then sells this access to other gangs for further exploitation.
“At the peak of EXOTIC LILY’s activity, we estimate they were sending more than 5,000 emails a day, to as many as 650 targeted organizations globally,” the researchers write. “Up until November 2021, the group seemed to be targeting specific industries such as IT, cybersecurity and healthcare, but as of late we have seen them attacking a wide variety of organizations and industries, with less specific focus.”
The researchers note that despite the high volume of the attacks, EXOTIC LILY still manages to customize its campaigns to each targeted organization.
“We have observed this threat actor deploying tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation,” the researchers write. “Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations.”
The researchers add that the threat actor has improved its social engineering techniques over the past several months.
“Initially, the group would create entirely fake personas posing as employees of a real company,” TAG says. “That would sometimes consist of creating social media profiles, personal websites and generating a fake profile picture using a public service to create an AI-generated human face. In November 2021, the group began to impersonate real company employees by copying their personal data from social media and business databases such as RocketReach and CrunchBase.”
The attackers use these spoofed accounts to send spear phishing messages to employees at the targeted companies, discussing a phony business opportunity.
“Attackers would sometimes engage in further communication with the target by attempting to schedule a meeting to discuss the project's design or requirements,” TAG says. “At the final stage, the attacker would upload the payload to a public file-sharing service (TransferNow, TransferXL, WeTransfer or OneDrive) and then use a built-in email notification feature to share the file with the target, allowing the final email to originate from the email address of a legitimate file-sharing service and not the attacker’s email, which presents additional detection challenges.”
New-school security awareness training can enable your employees to thwart targeted social engineering attacks.
Here's how it works:
