Exotic Lily, aka PROJECTOR LIBRA and TA580, is an Initial Access Broker (IAB). Since its emergence, the threat actor has achieved fame underground through its connections with ransomware groups, including Diavol and Conti. Recently, a group of researchers from ReliaQuest spotted and investigated phishing attempts from the group.

What’s going on?

The attack commenced with an email sent to a target, pretending to be a potential business opportunity. 
  • Exotic Lily used a spoofed domain to make it appear as if it came from a legitimate organization. The only difference between the two domains was the top-level domain.
  • Once communications were established, the next stage involved hosting a malicious zip file on well-known file-sharing platforms, such as WeTransfer, OneDrive, TransferNow, and TransferXL. 
  • Exotic Lily uses Windows shortcuts to deliver the BumbleBee loader to install malicious content on the victim’s assets. 

Why this matters

Exotic Lily is known for its expertise in obtaining login information from important targets by utilizing techniques such as employee impersonation, OSINT, and the creation of convincing fraudulent documents.
  • Exotic Lily has gained considerable traction and success by paying close attention to the finer details of its phishing campaigns. 
  • The attackers follow a well-established procedure that typically commences with initiating an open conversation with the victim. 
  • These profiles exploit the implied trust factor to lure victims into accessing apparently innocuous sites that end up downloading harmful payloads.

Some IAB stats

  • A report from January revealed that corporate access sold by IABs on the dark web doubled in 2022, with 2,348 cases observed between H2 2021 and H1 2022.
  • IABs primarily targeted companies operating in manufacturing (5.8%), financial services (5.1%), real estate (4.6%), and education (4.2%) in the U.S. 
  • The most common access types offered were compromised VPNs (37%) and RDP (36%).

The bottom line

If a threat group like Exotic Lily targets an organization, it should be ensured that the current security posture is robust. ReliaQuest advises blocking unsanctioned file sharing, torrent, and peer-to-peer sites. Furthermore, creating strong policy and user access controls for what executables are allowed on the corporate network is suggested.
Cyware Publisher

Publisher

Cyware