MITRE ATT&CK - Преступная группа EXOTIC LILY

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

EXOTIC LILY

EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.(Citation: Google EXOTIC LILY March 2022)

ID: G1011

Associated Groups:

Version: 1.0

Created: 18 Aug 2022

Last Modified: 24 Oct 2022

Name	Description
Associated Group Descriptions

Domain	ID		Name	Use
Techniques Used
Enterprise	T1583	.001	Acquire Infrastructure: Domains	EXOTIC LILY has registered domains to spoof targeted organizations by changing the top-level domain (TLD) to “.us”, “.co” or “.biz”.(Citation: Google EXOTIC LILY March 2022)
Enterprise	T1585	.001	Establish Accounts: Social Media Accounts	EXOTIC LILY has established social media profiles to mimic employees of targeted companies.(Citation: Google EXOTIC LILY March 2022)
		.002	Establish Accounts: Email Accounts	EXOTIC LILY has created e-mail accounts to spoof targeted organizations.(Citation: Google EXOTIC LILY March 2022)
Enterprise	T1589	.002	Gather Victim Identity Information: Email Addresses	EXOTIC LILY has gathered targeted individuals' e-mail addresses through open source research and website contact forms.(Citation: Google EXOTIC LILY March 2022)
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	EXOTIC LILY conducted an e-mail thread-hijacking campaign with malicious ISO attachments.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)
		.002	Phishing: Spearphishing Link	EXOTIC LILY has relied on victims to open malicious links in e-mails for execution.(Citation: Google EXOTIC LILY March 2022)
		.003	Phishing: Spearphishing via Service	EXOTIC LILY has used the e-mail notification features of legitimate file sharing services for spearphishing.(Citation: Google EXOTIC LILY March 2022)
Enterprise	T1593	.001	Search Open Websites/Domains: Social Media	EXOTIC LILY has copied data from social media sites to impersonate targeted individuals.(Citation: Google EXOTIC LILY March 2022)
Enterprise	T1608	.001	Stage Capabilities: Upload Malware	EXOTIC LILY has uploaded malicious payloads to file-sharing services including TransferNow, TransferXL, WeTransfer, and OneDrive.(Citation: Google EXOTIC LILY March 2022)
Enterprise	T1204	.001	User Execution: Malicious Link	EXOTIC LILY has used malicious links to lure users into executing malicious payloads.(Citation: Google EXOTIC LILY March 2022)
		.002	User Execution: Malicious File	EXOTIC LILY has gained execution through victims clicking on malicious LNK files contained within ISO files, which can execute hidden DLLs within the ISO.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)

ID	Name	References	Techniques
Software
S1039	Bumblebee	(Citation: Google EXOTIC LILY March 2022) (Citation: Proofpoint Bumblebee April 2022) (Citation: Symantec Bumblebee June 2022)	System Information Discovery, System Owner/User Discovery, Windows Management Instrumentation, Exfiltration Over C2 Channel, Windows Command Shell, System Checks, Deobfuscate/Decode Files or Information, Dynamic-link Library Injection, Archive Collected Data, Time Based Evasion, Odbcconf, Data from Local System, Security Software Discovery, Asynchronous Procedure Call, Visual Basic, Web Service, Virtualization/Sandbox Evasion, Ingress Tool Transfer, Fallback Channels, Spearphishing Link, Standard Encoding, Rundll32, Match Legitimate Name or Location, Process Injection, Native API, Obfuscated Files or Information, Shared Modules, Query Registry, Symmetric Cryptography, Bypass User Account Control, Process Discovery, Malicious Link, Spearphishing Attachment, Scheduled Task, Malicious File, PowerShell, Component Object Model, Debugger Evasion, File Deletion
S0534	Bazar	(Citation: CrowdStrike Wizard Spider October 2020) (Citation: Cybereason Bazar July 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: Google EXOTIC LILY March 2022) (Citation: KEGTAP) (Citation: NCC Group Team9 June 2020) (Citation: Team9)	File and Directory Discovery, Domain Trust Discovery, Asymmetric Cryptography, Domain Account, Remote System Discovery, Malicious Link, Network Share Discovery, Process Injection, BITS Jobs, Windows Command Shell, PowerShell, Obfuscated Files or Information, Security Software Discovery, Virtualization/Sandbox Evasion, Process Doppelgänging, Clear Persistence, Disable or Modify Tools, Indicator Removal, Data from Local System, Dynamic API Resolution, System Language Discovery, System Time Discovery, Process Discovery, Multi-Stage Channels, Query Registry, Match Legitimate Name or Location, Software Discovery, Symmetric Cryptography, Winlogon Helper DLL, Masquerade Task or Service, System Network Configuration Discovery, Time Based Evasion, System Owner/User Discovery, Code Signing, File Deletion, Fallback Channels, Web Protocols, Spearphishing Link, Ingress Tool Transfer, Local Account, Scheduled Task, Web Service, Double File Extension, Deobfuscate/Decode Files or Information, Windows Management Instrumentation, Process Hollowing, Native API, Shortcut Modification, Registry Run Keys / Startup Folder, System Information Discovery, Software Packing, Domain Generation Algorithms

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

EXOTIC LILY

Associated Group Descriptions

Techniques Used

Software

References