Bazarloader & Exotic Lily AnalysisIn the month of September 2021, Google TAG researchers discovered a financially motivated threat actor, Exotic LILY. These threat actors were exploiting zero-days in Microsoft’s MSHTML (CVE-2021-40444) Exotic Lily is an Initial access broker. These threat actors specialize in breaching a company and then selling the access to the highest bidder, and among the interested parties who bid for the same, were Conti and Diavol ransomware groups. To breach such companies, it was observed that Exotic Lily was using mass emailing/spoofing campaigns (5000+ emails per day) to attack more than 600 companies. Exotic Lily shifted its focus from IT, Healthcare, and cybersecurity companies to a broader spectrum of companies. Exotic Lily has an unusual level of human interaction while performing these campaigns. Based on the working hours of the group, it can be concluded that the group was from the Eastern/Central European region.
Exotic lily is also known by these names:
- Wizard Spider by Crowdstrike
- DEV-0193 by Microsoft
- FIN12 by Mandiant
The MITRE ATT&CK TTPs used by the threat actor:
- Initial Access ID: TA0001
- Phishing ID: T1566
- Phishing: Spearphishing Attachment ID: T1566.001
- Phishing ID: T1566
- Execution ID: TA0002
- User Execution ID: T1204
- Malicious File ID: T1204.002
- Windows Management Instrumentation ID: T1047
- Command and Scripting Interpreter ID: T1059
- Windows Command Shell ID: T1059.003
- User Execution ID: T1204
- Privilege Escalation ID: TA0004
- Exploitation for Privilege Escalation ID: T1068
- Exfiltration ID: TA0010
- Exfiltration Over C2 Channel ID: T1041
Sample: BazarLoader ISO.isoSHA256:9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269 Mounting the ISO file gives us 2 files.
Sample: Attachments.lnkSHA256:6497223d35530f2e510382aa1866b83ffaf215213b8080b7ecb299b6e7e3e6b1 At first the Attachment file looks like a shortcut, nothing wrong, huh? When we opened the shortcuts panel, we discovered the target field with some command.
C:WindowsSystem32cmd.exe /c xcopy /y DumpStack.log c:programdata && C:WindowsSystem32rundll32.exe C:programdataDumpStack.log,spload && exit
Processes that were started after clicking the attachment.lnk file
cmd /c C:UsersuserAppDataLocalTempAttachments.lnk
C:WindowsSystem32cmd.exe" /c xcopy /y DumpStack.log c:programdata && C:WindowsSystem32rundll32.exe C:programdataDumpStack.log,spload && exit
xcopy /y DumpStack.log c:programdata
Sample: DumpStack.logSHA256:4bc9368951402ceeeb84da58c82e02a4ea9e09f5a4425daf5094ea5d87a14e9a Compiler time stamp: Tue Jan 18 13:47:09 2022 UTC
Doing a file command on the DumpStack.log file tells us that it is an executable file for windows.
file DumpStack.log DumpStack.log: PE32+ executable (DLL) (GUI) x86-64, for MS WindowsExports by the pe file as indicated by pestudio.
FRdCdoy8j LcG8EAd0FAZYIxP spload ------> Function called by the DumpStack.log file. wsscUWQIzudQGV zzKKJMT02C
IP connections made by the malware while executing the DumpStack.log
23.81.246[.]187 185.52.0[.]55 89.163.140[.]67 198.50.135[.]212 45.76.254[.]23 107.174.68[.]120 194.36.144[.]87 51.89.88[.]77 95.217.190[.]236
Domain connections made by the malware:
3conlfex[.]com avrobio[.]co elemblo[.]com phxmfg[.]co modernmeadow[.]co lsoplexis[.]com craneveyor[.]us faustel[.]us lagauge[.]us missionbio[.]us richllndmetals[.]com kvnational[.]us prmflltration[.]com brightlnsight[.]co belcolnd[.]com awsblopharma[.]com amevida[.]us revergy[.]us al-ghurair[.]us opontia[.]us bluehail[.]bazar whitestorm9p[.]bazar reddew28c[.]bazar
BazarLoader ISO samples:
5ceb28316f29c3912332065eeaaebf59f10d79cd9388ef2a7802b9bb80d797be 9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269 c896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7
Recent BUMBLEBEE ISO samples:
9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32 6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8 201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9 1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd 01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225
Virus total graph for the summary of the malware:
Referenceshttps://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/ https://www.virustotal.com/gui/collection/55ef10a1ff5363ec2272ba135e7974fcfda7fc7989e84e65dfb76797a165c3f5
Prevent Ransomware with BreachSeeker & Threat Vulnerability ManagementVerSprite’s Threat Intelligence Group provides organizations with real-time threat monitoring, analysis, prevention recommendations, and mitigation. Our elite team works with companies across all industries and security maturity levels to defend against threats. For more information on Versprite’s Threat Intel Group or our botnet detection service, BreachSeeker, contact one of our security advisers today. Learn More →
Subscribe for Our Updates
Please enter your email address and receive the latest updates.