Skip to content

G1011 EXOTIC LILY

EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.1

Item Value
ID G1011
Associated Names
Version 1.0
Created 18 August 2022
Last Modified 24 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains EXOTIC LILY has registered domains to spoof targeted organizations by changing the top-level domain (TLD) to “.us”, “.co” or “.biz”.1
enterprise T1585 Establish Accounts -
enterprise T1585.001 Social Media Accounts EXOTIC LILY has established social media profiles to mimic employees of targeted companies.1
enterprise T1585.002 Email Accounts EXOTIC LILY has created e-mail accounts to spoof targeted organizations.1
enterprise T1203 Exploitation for Client Execution EXOTIC LILY has used malicious documents containing exploits for CVE-2021-40444 affecting Microsoft MSHTML.1
enterprise T1589 Gather Victim Identity Information -
enterprise T1589.002 Email Addresses EXOTIC LILY has gathered targeted individuals’ e-mail addresses through open source research and website contact forms.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment EXOTIC LILY conducted an e-mail thread-hijacking campaign with malicious ISO attachments.12
enterprise T1566.002 Spearphishing Link EXOTIC LILY has relied on victims to open malicious links in e-mails for execution.1
enterprise T1566.003 Spearphishing via Service EXOTIC LILY has used the e-mail notification features of legitimate file sharing services for spearphishing.1
enterprise T1597 Search Closed Sources EXOTIC LILY has searched for information on targeted individuals on business databases including RocketReach and CrunchBase.1
enterprise T1593 Search Open Websites/Domains -
enterprise T1593.001 Social Media EXOTIC LILY has copied data from social media sites to impersonate targeted individuals.1
enterprise T1594 Search Victim-Owned Websites EXOTIC LILY has used contact forms on victim websites to generate phishing e-mails.1
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware EXOTIC LILY has uploaded malicious payloads to file-sharing services including TransferNow, TransferXL, WeTransfer, and OneDrive.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link EXOTIC LILY has used malicious links to lure users into executing malicious payloads.1
enterprise T1204.002 Malicious File EXOTIC LILY has gained execution through victims clicking on malicious LNK files contained within ISO files, which can execute hidden DLLs within the ISO.12
enterprise T1102 Web Service EXOTIC LILY has used file-sharing services including WeTransfer, TransferNow, and OneDrive to deliver payloads.1

Software

ID Name References Techniques
S0534 Bazar 1 Local Account:Account Discovery Domain Account:Account Discovery Web Protocols:Application Layer Protocol BITS Jobs Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Shortcut Modification:Boot or Logon Autostart Execution Winlogon Helper DLL:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Data from Local System Deobfuscate/Decode Files or Information Domain Trust Discovery Domain Generation Algorithms:Dynamic Resolution Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Fallback Channels File and Directory Discovery Disable or Modify Tools:Impair Defenses File Deletion:Indicator Removal Clear Persistence:Indicator Removal Ingress Tool Transfer Double File Extension:Masquerading Match Legitimate Name or Location:Masquerading Masquerade Task or Service:Masquerading Multi-Stage Channels Native API Network Share Discovery Obfuscated Files or Information Dynamic API Resolution:Obfuscated Files or Information Software Packing:Obfuscated Files or Information Spearphishing Link:Phishing Process Discovery Process Doppelgänging:Process Injection Process Hollowing:Process Injection Process Injection Query Registry Remote System Discovery Scheduled Task:Scheduled Task/Job Security Software Discovery:Software Discovery Software Discovery Code Signing:Subvert Trust Controls System Information Discovery System Language Discovery:System Location Discovery System Network Configuration Discovery System Owner/User Discovery System Time Discovery Malicious Link:User Execution Time Based Evasion:Virtualization/Sandbox Evasion Virtualization/Sandbox Evasion Web Service Windows Management Instrumentation
S1039 Bumblebee 1 Bypass User Account Control:Abuse Elevation Control Mechanism Archive Collected Data Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Debugger Evasion Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Fallback Channels File Deletion:Indicator Removal Ingress Tool Transfer Component Object Model:Inter-Process Communication Match Legitimate Name or Location:Masquerading Native API Obfuscated Files or Information Spearphishing Attachment:Phishing Spearphishing Link:Phishing Process Discovery Asynchronous Procedure Call:Process Injection Dynamic-link Library Injection:Process Injection Process Injection Query Registry Scheduled Task:Scheduled Task/Job Shared Modules Security Software Discovery:Software Discovery Odbcconf:System Binary Proxy Execution Rundll32:System Binary Proxy Execution System Information Discovery System Owner/User Discovery Malicious File:User Execution Malicious Link:User Execution Time Based Evasion:Virtualization/Sandbox Evasion System Checks:Virtualization/Sandbox Evasion Virtualization/Sandbox Evasion Web Service Windows Management Instrumentation

References

  1. Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022. 

  2. Merriman, K. and Trouerbach, P. (2022, April 28). This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming. Retrieved August 22, 2022.