Security News > 2022 > March > Google Uncovers 'Initial Access Broker' Working with Conti Ransomware Gang

Google's Threat Analysis Group took the wraps off a new initial access broker that it said is closely affiliated to a Russian cyber crime gang notorious for its Conti and Diavol ransomware operations.

Dubbed Exotic Lily, the financially motivated threat actor has been observed exploiting a now-patched critical flaw in the Microsoft Windows MSHTML platform as part of widespread phishing campaigns that involved sending no fewer than 5,000 business proposal-themed emails a day to 650 targeted organizations globally.

Exotic Lily, first spotted in September 2021, is said to have been involved in data exfiltration and deployment of the human-operated Conti and Diavol ransomware strains, both of which share overlaps with the Russian cybercriminal syndicate called Wizard Spider that's also known for operating TrickBot, BazarBackdoor, and Anchor.

Besides using fictitious companies and identities as a means to build trust with the targeted entities, Exotic Lily has leveraged legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver BazarBackdoor payloads in a bid to evade detection mechanisms.

An analysis of the Exotic Lily's communication activity indicates that the threat actors have a "Typical 9-to-5 job" on weekdays and may be possibly working from a Central or an Eastern Europe time zone.

"EXOTIC LILY seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors," the researchers concluded.

News URL

https://thehackernews.com/2022/03/google-uncovers-initial-access-broker.html