Common Information
| Type | Value |
|---|---|
| Value |
EXOTIC LILY |
| Category | Actor |
| Type | Threat-Actor |
| Misp Type | Cluster |
| Description | EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. In early September 2021, the group has been obeserved exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigation lead researchers to believe that they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike). This threat actor deploys tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation. Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, namely BUMBLEEBEE and BAZARLOADER, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations. |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-08-13 | 21 | Common Malware Loaders - ReliaQuest | ||
| Details | Website | 2024-08-12 | 7 | Bumblebee Loader | ||
| Details | Website | 2023-09-15 | 11 | Tracking Adversaries: Akira, another descendent of Conti | ||
| Details | Website | 2023-03-15 | 0 | Email Threats: HTML Smuggling on the Dark Web - ReliaQuest | ||
| Details | Website | 2023-03-01 | 0 | Growing Cybercrime Outsourcing Model: Initial Access Brokers | ||
| Details | Website | 2022-12-16 | 4 | The DPRK delicate sound of cyber | ||
| Details | Website | 2022-11-17 | 8 | The Continuity of Conti | ||
| Details | Website | 2022-11-07 | 8 | Top Critical Vulnerabilities Used by Ransomware Groups -SOCRadar | ||
| Details | Website | 2022-10-03 | 0 | Bumblebee Malware Loader's Payloads Significantly Vary by Victim System | ||
| Details | Website | 2022-09-05 | 33 | From BumbleBee to Cobalt Strike: Steps of a BumbleBee intrusion - Darktrace Blog | ||
| Details | Website | 2022-08-25 | 4 | Oktapus campaign. Exotic Lily's Bumblebee Loader. DNS traffic insights. DHS shutters disinfo board. Hybrid war at six months. | ||
| Details | Website | 2022-08-24 | 10 | Bumblebee Malware: Deep Instinct Prevents Attack Pre-Execution | Deep Instinct | ||
| Details | Website | 2022-08-18 | 0 | Hackers Using Bumblebee Loader to Compromise Active Directory Services | ||
| Details | Website | 2022-08-08 | 143 | BumbleBee Roasts Its Way to Domain Admin | ||
| Details | Website | 2022-08-03 | 16 | Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware | ||
| Details | Website | 2022-04-28 | 1 | New Bumblebee malware replaces Conti's BazarLoader in cyberattacks | ||
| Details | Website | 2022-04-14 | 34 | Orion Threat Alert: Flight of the BumbleBee - Cynet | ||
| Details | Website | 2022-03-17 | 33 | Exposing initial access broker with ties to Conti | ||
| Details | Website | 2022-03-15 | 619 | What Wicked Webs We Un-weave - Prevailion | ||
| Details | Website | 2022-01-01 | 2 | Cloudzy With a Chance of Global Cybercrime | Cyware Hacker News | ||
| Details | Website | 2021-09-16 | 5 | Windows MSHTML 0-Day Exploited to Deploy Cobalt Strike Beacon in Targeted Attacks | ||
| Details | Website | 2021-09-15 | 11 | Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability - Microsoft Security Blog | ||
| Details | Website | 2021-01-01 | 0 | New Email Threats by Exotic Lily | Cyware Hacker News |