Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.


EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.(Citation: Google EXOTIC LILY March 2022)
ID: G1011
Associated Groups: 
Version: 1.0
Created: 18 Aug 2022
Last Modified: 24 Oct 2022

Associated Group Descriptions

Name Description

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

EXOTIC LILY has registered domains to spoof targeted organizations by changing the top-level domain (TLD) to “.us”, “.co” or “.biz”.(Citation: Google EXOTIC LILY March 2022)

Enterprise T1585 .001 Establish Accounts: Social Media Accounts

EXOTIC LILY has established social media profiles to mimic employees of targeted companies.(Citation: Google EXOTIC LILY March 2022)

.002 Establish Accounts: Email Accounts

EXOTIC LILY has created e-mail accounts to spoof targeted organizations.(Citation: Google EXOTIC LILY March 2022)

Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

EXOTIC LILY has gathered targeted individuals' e-mail addresses through open source research and website contact forms.(Citation: Google EXOTIC LILY March 2022)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

EXOTIC LILY conducted an e-mail thread-hijacking campaign with malicious ISO attachments.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)

.002 Phishing: Spearphishing Link

EXOTIC LILY has relied on victims to open malicious links in e-mails for execution.(Citation: Google EXOTIC LILY March 2022)

.003 Phishing: Spearphishing via Service

EXOTIC LILY has used the e-mail notification features of legitimate file sharing services for spearphishing.(Citation: Google EXOTIC LILY March 2022)

Enterprise T1593 .001 Search Open Websites/Domains: Social Media

EXOTIC LILY has copied data from social media sites to impersonate targeted individuals.(Citation: Google EXOTIC LILY March 2022)

Enterprise T1608 .001 Stage Capabilities: Upload Malware

EXOTIC LILY has uploaded malicious payloads to file-sharing services including TransferNow, TransferXL, WeTransfer, and OneDrive.(Citation: Google EXOTIC LILY March 2022)

Enterprise T1204 .001 User Execution: Malicious Link

EXOTIC LILY has used malicious links to lure users into executing malicious payloads.(Citation: Google EXOTIC LILY March 2022)

.002 User Execution: Malicious File

EXOTIC LILY has gained execution through victims clicking on malicious LNK files contained within ISO files, which can execute hidden DLLs within the ISO.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)


ID Name References Techniques
S1039 Bumblebee (Citation: Google EXOTIC LILY March 2022) (Citation: Proofpoint Bumblebee April 2022) (Citation: Symantec Bumblebee June 2022) System Information Discovery, System Owner/User Discovery, Windows Management Instrumentation, Exfiltration Over C2 Channel, Windows Command Shell, System Checks, Deobfuscate/Decode Files or Information, Dynamic-link Library Injection, Archive Collected Data, Time Based Evasion, Odbcconf, Data from Local System, Security Software Discovery, Asynchronous Procedure Call, Visual Basic, Web Service, Virtualization/Sandbox Evasion, Ingress Tool Transfer, Fallback Channels, Spearphishing Link, Standard Encoding, Rundll32, Match Legitimate Name or Location, Process Injection, Native API, Obfuscated Files or Information, Shared Modules, Query Registry, Symmetric Cryptography, Bypass User Account Control, Process Discovery, Malicious Link, Spearphishing Attachment, Scheduled Task, Malicious File, PowerShell, Component Object Model, Debugger Evasion, File Deletion
S0534 Bazar (Citation: CrowdStrike Wizard Spider October 2020) (Citation: Cybereason Bazar July 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: Google EXOTIC LILY March 2022) (Citation: KEGTAP) (Citation: NCC Group Team9 June 2020) (Citation: Team9) File and Directory Discovery, Domain Trust Discovery, Asymmetric Cryptography, Domain Account, Remote System Discovery, Malicious Link, Network Share Discovery, Process Injection, BITS Jobs, Windows Command Shell, PowerShell, Obfuscated Files or Information, Security Software Discovery, Virtualization/Sandbox Evasion, Process Doppelgänging, Clear Persistence, Disable or Modify Tools, Indicator Removal, Data from Local System, Dynamic API Resolution, System Language Discovery, System Time Discovery, Process Discovery, Multi-Stage Channels, Query Registry, Match Legitimate Name or Location, Software Discovery, Symmetric Cryptography, Winlogon Helper DLL, Masquerade Task or Service, System Network Configuration Discovery, Time Based Evasion, System Owner/User Discovery, Code Signing, File Deletion, Fallback Channels, Web Protocols, Spearphishing Link, Ingress Tool Transfer, Local Account, Scheduled Task, Web Service, Double File Extension, Deobfuscate/Decode Files or Information, Windows Management Instrumentation, Process Hollowing, Native API, Shortcut Modification, Registry Run Keys / Startup Folder, System Information Discovery, Software Packing, Domain Generation Algorithms

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.