Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа EXOTIC LILY
Риски
Каталоги
MITRE ATT&CK
Преступная группа
EXOTIC LILY
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

EXOTIC LILY

EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.(Citation: Google EXOTIC LILY March 2022)
ID: G1011
Associated Groups: 
Version: 1.0
Created: 18 Aug 2022
Last Modified: 16 Apr 2025

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

EXOTIC LILY has registered domains to spoof targeted organizations by changing the top-level domain (TLD) to “.us”, “.co” or “.biz”.(Citation: Google EXOTIC LILY March 2022)
Enterprise T1585 .001 Establish Accounts: Social Media Accounts

EXOTIC LILY has established social media profiles to mimic employees of targeted companies.(Citation: Google EXOTIC LILY March 2022)
.002 Establish Accounts: Email Accounts

EXOTIC LILY has created e-mail accounts to spoof targeted organizations.(Citation: Google EXOTIC LILY March 2022)

Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

EXOTIC LILY has gathered targeted individuals' e-mail addresses through open source research and website contact forms.(Citation: Google EXOTIC LILY March 2022)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

EXOTIC LILY conducted an e-mail thread-hijacking campaign with malicious ISO attachments.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)
.002 Phishing: Spearphishing Link

EXOTIC LILY has relied on victims to open malicious links in e-mails for execution.(Citation: Google EXOTIC LILY March 2022)

.003 Phishing: Spearphishing via Service

EXOTIC LILY has used the e-mail notification features of legitimate file sharing services for spearphishing.(Citation: Google EXOTIC LILY March 2022)

Enterprise T1593 .001 Search Open Websites/Domains: Social Media

EXOTIC LILY has copied data from social media sites to impersonate targeted individuals.(Citation: Google EXOTIC LILY March 2022)
Enterprise T1608 .001 Stage Capabilities: Upload Malware

EXOTIC LILY has uploaded malicious payloads to file-sharing services including TransferNow, TransferXL, WeTransfer, and OneDrive.(Citation: Google EXOTIC LILY March 2022)
Enterprise T1204 .001 User Execution: Malicious Link

EXOTIC LILY has used malicious links to lure users into executing malicious payloads.(Citation: Google EXOTIC LILY March 2022)
.002 User Execution: Malicious File

EXOTIC LILY has gained execution through victims clicking on malicious LNK files contained within ISO files, which can execute hidden DLLs within the ISO.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)

Software
ID Name References Techniques
S1039 Bumblebee (Citation: Google EXOTIC LILY March 2022) (Citation: Proofpoint Bumblebee April 2022) (Citation: Symantec Bumblebee June 2022) Scheduled Task, Windows Management Instrumentation, System Owner/User Discovery, Rundll32, Standard Encoding, Shared Modules, Bypass User Account Control, Match Legitimate Resource Name or Location, Malicious File, Symmetric Cryptography, System Checks, Spearphishing Link, Spearphishing Attachment, Component Object Model, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Time Based Evasion, Archive Collected Data, Odbcconf, Asynchronous Procedure Call, Virtualization/Sandbox Evasion, Web Service, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Obfuscated Files or Information, Query Registry, Security Software Discovery, Windows Command Shell, File Deletion, Visual Basic, Debugger Evasion, Ingress Tool Transfer, Malicious Link, Fallback Channels, Dynamic-link Library Injection
S0534 Bazar (Citation: Bazaloader) (Citation: CrowdStrike Wizard Spider October 2020) (Citation: Cybereason Bazar July 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: Google EXOTIC LILY March 2022) (Citation: KEGTAP) (Citation: Microsoft Ransomware as a Service) (Citation: NCC Group Team9 June 2020) (Citation: Team9) Scheduled Task, Windows Management Instrumentation, System Owner/User Discovery, Encrypted/Encoded File, Domain Generation Algorithms, Double File Extension, Match Legitimate Resource Name or Location, Domain Account, Symmetric Cryptography, Local Account, Spearphishing Link, Code Signing, Network Share Discovery, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Shortcut Modification, Time Based Evasion, Winlogon Helper DLL, Process Doppelgänging, System Network Configuration Discovery, Domain Trust Discovery, Indicator Removal, File and Directory Discovery, Masquerade Task or Service, Virtualization/Sandbox Evasion, Web Service, Multi-Stage Channels, Process Discovery, PowerShell, Registry Run Keys / Startup Folder, Disable or Modify Tools, Process Hollowing, Asymmetric Cryptography, System Language Discovery, Query Registry, BITS Jobs, Security Software Discovery, Windows Command Shell, Clear Persistence, File Deletion, Software Packing, Web Protocols, Remote System Discovery, Software Discovery, Ingress Tool Transfer, Dynamic API Resolution, Malicious Link, Fallback Channels, System Time Discovery

References

  1. Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.
  2. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.