The Initial Access Broker (IAB) entity, Exotic Lily, has been active since its first appearance in the cybercriminal landscape. This group has gained popularity among the cybercriminal community since it affiliates with well-known ransomware gangs like Conti and Diavol. Researchers recently discovered that the group currently has an ongoing phishing campaign.
Based on reports, the phishing attack starts with the attackers sending a compromised email that pretends to be a business opportunity. The group utilised a spoofed domain to make it appear to originate from a legitimate organisation.
The next step involves hosting a malicious zip file once the actors establish communications with their target on popular file-sharing platforms, such as TransferXL, TransferNow, OneDrive, and WeTransfer.
In addition, Exotic Lily IAB utilises Windows shortcuts to spread the BumbleBee loader and install malicious content on a victim’s device.
Exotic Lily IAB uses different attack methods to harvest information from its targets.
According to researchers, the Exotic Lily IAB threat group specialises in acquiring login information from its targets using several tactics, including OSINT, employee impersonation, and developing fraudulent documents.
This group has gained popularity and achievements by having sophisticated phishing campaigns that lead to positive results. Researchers explained that the hackers have a well-crafted procedure that usually starts with initiating a well-thought-out conversation with its victim.
These profiles abuse the trust given by their target to lure them into accessing malicious websites that could end up deploying compromised payloads.
A tally earlier this year showed that the dark web had sold double the number of IABs compared to last year and in 2021. The most affected organisations in the United States are manufacturing, financial services, real estate, and academic institutions. Furthermore, the actors mostly used compromised VPNs and RDP to access their targets.
Organisations should have a robust security solution employed to mitigate the chances of getting targeted by Exotic Lily. Users should block unwanted file sharing, peer-to-peer, and torrent sites. Huge companies should have a firm policy and user access privileges to allow corporate network executables.
