Google discovers threat actor working as an ‘initial access broker’ for Conti ransomware hackers

Google’s Threat Analysis Group has observed a financially motivated threat actor working as an intermediary for the Russian hackers, including the Conti ransomware gang.

The group, which Google refers to as “Exotic Lily,” acts as an initial access broker, finding vulnerable organizations and selling access to their networks to the highest bidder. By contracting out the initial access to a victim’s network, ransomware gangs like Conti can focus on the execution phase of an attack.

In the case of Exotic Lily, this initial access was gained through email campaigns, in which the group masqueraded as legitimate organizations and employees through the use of domain and identity spoofing. In the majority of cases, a spoofed domain was nearly identical to the real domain name of an existing organization, but changed the top-level domains to “.us,” “.co” or “.biz.” In order to appear as legitimate employees, Exotic Lily set up social media profiles and AI-generated images of human faces.

The attackers, which Google believes are operating from Central or Eastern Europe due to the threat actors’ working hours, would then send spear-phishing emails under the pretext of a business proposal, before ultimately uploading a payload to a public file-sharing service such as WeTransfer or Microsoft OneDrive.

“This level of human interaction is rather unusual for cybercrime groups focused on mass-scale operations,” notes Google researchers Vlad Stolyarov and Benoit Sevens in a blog post shared with TechCrunch before publication.

These malicious payloads initially took the form of documents containing an exploit for a zero-day in Microsoft’s MSHTML browser engine (tracked as CVE-2021-40444), before the attackers switched to the delivery of ISO disk images containing hidden BazarLoader payloads. Google researchers say this shift confirms Exotic Lily’s relationship with a Russian cybercrime group tracked as Wizard Spider (also known as UNC1878), which is linked to the notorious Ryuk ransomware that has been used to target businesses, hospitals — including U.S-based Universal Health Services — and government institutions since 2018.

While the nature of this relationship remains unclear, Google says that Exotic Lily appears to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware.

Exotic Lily, which was first observed in September 2021 and is still active today, was sending more than 5,000 phishing emails a day to as many as 650 organizations during the peak of its activity, Google said. While the group initially seemed to be targeting specific industries such as IT, cybersecurity and healthcare, it has more recently begun attacking a wide variety of organizations and industries, with less of a specific focus.

Google has also shared indicators of compromise (IOCs) from Exotic Lily’s large-scale email campaign to help organizations defend their networks.