Google’s Threat Analysis Group (TAG) discovered an initial access broker dubbed “EXOTIC LILY” exclusively working for ransomware gangs.
The group, which Google had detected exploiting Microsoft MSHTML zero-day vulnerability CVE-2021-40444, employed spear-phishing tactics to target potential victims.
In a single day, Google researchers detected the threat actor sending more than 5,000 phishing emails to 650 organizations.
According to Google, EXOTIC LILY obtains and sells access to ransomware gangs for financial gain.
Initial access broker EXOTIC LILY works for Russian ransomware gangs
Google noted that initial access broker EXOTIC LILY works for Russian ransomware gangs, including WIZARD SPIDER.
“We believe the shift to deliver BazarLoader, along with some other indicators such as a unique Cobalt Strike profile (described by RiskIQ) further confirms the existence of a relationship between EXOTIC LILY and actions of a Russian cybercrime group tracked as WIZARD SPIDER (CrowdStrike), FIN12 (Mandiant, FireEye) and DEV-0193 (Microsoft),” Google wrote.
The initial access broker also closely works with human-operated Conti and Diavol ransomware gangs.
Being a Ransomware-as-a-Service (RaaS) provider, Conti has close relationships with other ransomware gangs and malware groups like TrickBot, Anchor, and BazarBackdoor. Ultimately, this relationship benefits more ransomware gangs than documented by Google.
“While the nature of those relationships (with other groups) remains unclear, EXOTIC LILY seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors,” Google said.
The initial access broker has also diversified its potential victim pool. Google says the group initially targeted IT, cybersecurity, and healthcare, but now indiscriminately targets all organizations.
Initial access broker creates and exploits employee trust
Google documented Exotic Lily’s phishing activities which leverage employee trust. The group creates trust by spoofing employees and organizations with fake identities.
The process begins by registering a spoofed domain closely resembling the legitimate one. Usually, the spoofing process involves changing the TLD of the target organization from, for example, ‘.com’ to ‘.us’, ‘.co’ or ‘.biz’.
Additionally, the threat actor creates fake profiles impersonating real employees of reputable organizations. They scour the social media, LinkedIn Profiles, and business databases for the targeted employees’ personal and professional information. Lastly, they complete the fake profile by uploading an AI-generated profile picture.
Next, the initial access broker creates a business email such as employee@company.us and acquires the target’s email through contact forms or OSINT.
The next step involves sending a phishing email and creating trust by discussing a business proposal like outsourcing a software or security project. Sometimes they schedule a meeting to discuss the project’s requirements.
Finally, the initial access broker leverages public file-sharing services such as TransferNow, TransferXL, WeTransfer, or OneDrive to deliver a BazarLoader or a custom loader payload. They ensure that the notification email originates from the file transfer service to avoid raising suspicion.
Once executed, the loader delivers the Bumblebee malware that collects system information via WMI. It exfiltrates the information to the command-and-control (C2) servers in JSON format. In return, the malware receives a list of supported tasks to execute on the host.
Google says the threat actors work from a Central or Eastern European timezone, apply little to no automation, and have 9-to-5 jobs based on their limited activity on weekends.
Their work schedule contrasts sharply with that of the ransomware gangs that are usually active during weekends and holidays when security teams are out of the office.
However, some ransomware gangs like Conti have also adopted the business model and paid their hackers a salary.
Despite working closely with Russian ransomware gangs, Google says that the primary motivation of the EXOTIC LILY initial access broker was financial gain.

