The TTPs of Conti’s initial access broker

Automation might be the way to go for many things, but a recently published report by Google’s Threat Analysis Group (TAG) shows why targeted phishing campaigns performed by human operators are often successful, and how the Conti ransomware gang excels at targeting organizations with the help of an initial access broker.

Exotic Lily: A threat actor specializing in gaining initial access into organizations

TAG researchers Vlad Stolyarov and Benoit Sevens have delineated the tactics, techniques and procedures (TTPs) used by an initial access broker (IAB) they dubbed Exotic Lily.

Their (very consistent) modus operandi starts with registering a domain that looks like that of an existing organization – e.g., company.us (or .co, .biz, etc.) to spoof company.com.

Next they create an email account purportedly belonging to an employee of the company (employee@company.us), and use that email to contact an employee at the target organization.

“Using spoofed email accounts, attackers would then send spear phishing emails under the pretext of a business proposal, such as seeking to outsource a software development project or an information security service,” TAG analysts explained.

After a few exchanged emails discussing business, they would upload a malicious payload to a public file-sharing service such as TransferNow, TransferXL, WeTransfer or OneDrive, and use the service’s built-in email notification feature to share the file with the target.

It’s easy to see why this approach is so successful:

• Most employees are busy and many will not notice that emails are sent from spoofed domains (as they look very much like the real thing)
• Customized phishing emails created by humans are more credible and inspire more trust than those based on templates, sent automatically based on detected keywords in the sender’s reply
• Emails sent by legitimate services with links to malicious payloads hosted at legitimate services are less likely be detected and flagged as malicious by email security defenses

Once the targets download and run the malicious loaders or backdoors posing as innocuous documents, the malware collects and sends system information to a C2 server and waits for instructions to execute shellcode and drop and run executable files (most recently: Cobalt Strike payloads).

Connection with Conti and Diavol

“Although the group came to our attention initially due to its use of documents containing an exploit for CVE-2021-40444, they later switched to the delivery of ISO files with hidden BazarLoader DLLs and LNK shortcuts. These samples have some indicators that suggest they were custom-built to be used by the group,” the analysts shared.

These and other indicators point to a connection between this initial access broker and threat actors pushing the human-operated Conti and Diavol ransomware, though the analysts believe they are specialized, separate entities.

“A breakdown of the actor’s communication activity shows the operators are working a fairly typical 9-to-5 job, with very little activity during the weekends. Distribution of the actor’s working hours suggest they might be working from a Central or an Eastern Europe timezone,” the analysts noted.

“At the peak of EXOTIC LILY’s activity, we estimate they were sending more than 5,000 emails a day, to as many as 650 targeted organizations globally. Up until November 2021, the group seemed to be targeting specific industries such as IT, cybersecurity and healthcare, but as of late we have seen them attacking a wide variety of organizations and industries, with less specific focus.”