Exotic Lily, aka Projector Libra, spoofs businesses around the world

An initial access broker(IAB), Exotic Lily is famous for its ties with ransomware groups such as Diavol and Conti. The threat ecosystem of Exotic Lily has the most prolific malware in the world.

According to The ReliaQuest Photon Threat Research team, 

“Exotic Lily has become particularly prevalent and successful due to the high detail they apply to their phishing campaigns. This has been seen repeatedly through a tried-and-tested path that typically begins with an open conversation with the victim, sourced from a fabricated business profile. These profiles then exploit this implied sense of trust to lure victims into navigating to seemingly benign sites to download malicious payloads.”

How will it process?

The attack is initiated by sending an email, claiming to be the legitimate company, pretending to be the job opportunist mostly.

• The only difference between the domains is the top-level domain. Exotic Lily targets all subdomains to spoof the users.
• Once communications were established, the next stage involved hosting a malicious zip file on well-known file-sharing platforms, such as WeTransfer, OneDrive, TransferNow, and TransferXL. 
• Exotic Lily uses Windows shortcuts to deliver the BumbleBee loader to install malicious content on the victim’s assets. 

Photon Threat Research team said: “We have investigated a unique case where a Python interpreter and Python-based loader were used instead of BumbleBee. The packaged Python was executed when the user interacted with this LNK file, and a Cobalt Strike Beacon was loaded onto the victim’s machine. Shortly after, the beacon established a C2 channel and host enumeration began. This activity was short-lived, as the host was contained at this point.”

Email Threats: Exotic Lily https://t.co/AyuuMbJMW4 #CyberSecurity #ransomware

— Gate 15 (@Gate_15_Analyst) March 9, 2023

What are IAB attacks?

An Initial Access Broker (IAB) is a type of cybercriminal who specializes in: 

• Selling access to compromised computer systems or networks. 
• Gains access to a victim’s computer system through various means, such as phishing attacks, software vulnerabilities, or other forms of exploitation.

• Offer this access for sale on the dark web or other underground marketplaces. These access sales are typically conducted via anonymous cryptocurrency transactions, which makes it difficult to track the transactions and identify the cybercriminals involved.
• Use it for various purposes, such as stealing sensitive data, conducting further attacks, or deploying ransomware. 

As observed by @Google’s Threat Analysis Group, the new threat group #ExoticLily finds vulnerable organizations and sells access to their networks to the highest bidder.

Full details from @CarlyPage_ and @TechCrunch: https://t.co/FtIrAuc4pl

— Trellix (@Trellix) March 28, 2022

Initial access brokers are a significant threat to organizations and individuals, as they can provide an entry point for other cybercriminals and expose sensitive data to theft or misuse.

How to hit back? 

Your security procedures could be lacking if your company is targeted with Exotic Lily. To avoid that, you can:

• Create a security policy that restricts downloading specific executables.
• Block unsanctioned file sharing and torrenting.
• Revisit your security procedures 
• Deploy domain impersonation monitoring
• Deploy phishing analyzers to prevent any malicious emails

Ending note

IABs like Exotic Lily are a significant and growing threat in the cybersecurity landscape. Organizations must protect their systems and networks from cyber attacks, such as implementing strong security measures, monitoring suspicious activity, and providing cybersecurity training to employees.