Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Groups
  3. EXOTIC LILY

EXOTIC LILY

EXOTIC LILY is a financially motivated group that has been closely linked withWizard Spider and the deployment of ransomware includingConti andDiavol.EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.[1]

ID: G1011
Contributors: Phill Taylor, BT Security
Version: 1.0
Created: 18 August 2022
Last Modified: 16 April 2025
Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1583.001Acquire Infrastructure:Domains

EXOTIC LILY has registered domains to spoof targeted organizations by changing the top-level domain (TLD) to ".us", ".co" or ".biz".[1]

EnterpriseT1585.001Establish Accounts:Social Media Accounts

EXOTIC LILY has established social media profiles to mimic employees of targeted companies.[1]

.002Establish Accounts:Email Accounts

EXOTIC LILY has created e-mail accounts to spoof targeted organizations.[1]

EnterpriseT1203Exploitation for Client Execution

EXOTIC LILY has used malicious documents containing exploits for CVE-2021-40444 affecting Microsoft MSHTML.[1]

EnterpriseT1589.002Gather Victim Identity Information:Email Addresses

EXOTIC LILY has gathered targeted individuals' e-mail addresses through open source research and website contact forms.[1]

EnterpriseT1566.001Phishing:Spearphishing Attachment

EXOTIC LILY conducted an e-mail thread-hijacking campaign with malicious ISO attachments.[1][2]

.002Phishing:Spearphishing Link

EXOTIC LILY has relied on victims to open malicious links in e-mails for execution.[1]

.003Phishing:Spearphishing via Service

EXOTIC LILY has used the e-mail notification features of legitimate file sharing services for spearphishing.[1]

EnterpriseT1597Search Closed Sources

EXOTIC LILY has searched for information on targeted individuals on business databases including RocketReach and CrunchBase.[1]

EnterpriseT1593.001Search Open Websites/Domains:Social Media

EXOTIC LILY has copied data from social media sites to impersonate targeted individuals.[1]

EnterpriseT1594Search Victim-Owned Websites

EXOTIC LILY has used contact forms on victim websites to generate phishing e-mails.[1]

EnterpriseT1608.001Stage Capabilities:Upload Malware

EXOTIC LILY has uploaded malicious payloads to file-sharing services including TransferNow, TransferXL, WeTransfer, and OneDrive.[1]

EnterpriseT1204.001User Execution:Malicious Link

EXOTIC LILY has used malicious links to lure users into executing malicious payloads.[1]

.002User Execution:Malicious File

EXOTIC LILY has gained execution through victims clicking on malicious LNK files contained within ISO files, which can execute hidden DLLs within the ISO.[1][2]

EnterpriseT1102Web Service

EXOTIC LILY has used file-sharing services including WeTransfer, TransferNow, and OneDrive to deliver payloads.[1]

Software

IDNameReferencesTechniques
S0534Bazar[1]Account Discovery:Domain Account,Account Discovery:Local Account,Application Layer Protocol:Web Protocols,BITS Jobs,Boot or Logon Autostart Execution:Winlogon Helper DLL,Boot or Logon Autostart Execution:Shortcut Modification,Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder,Command and Scripting Interpreter:Windows Command Shell,Command and Scripting Interpreter:PowerShell,Data from Local System,Deobfuscate/Decode Files or Information,Domain Trust Discovery,Dynamic Resolution:Domain Generation Algorithms,Encrypted Channel:Asymmetric Cryptography,Encrypted Channel:Symmetric Cryptography,Fallback Channels,File and Directory Discovery,Impair Defenses:Disable or Modify Tools,Indicator Removal:Clear Persistence,Indicator Removal:File Deletion,Ingress Tool Transfer,Masquerading:Match Legitimate Resource Name or Location,Masquerading:Masquerade Task or Service,Masquerading:Double File Extension,Multi-Stage Channels,Native API,Network Share Discovery,Obfuscated Files or Information:Encrypted/Encoded File,Obfuscated Files or Information:Dynamic API Resolution,Obfuscated Files or Information:Software Packing,Phishing:Spearphishing Link,Process Discovery,Process Injection,Process Injection:Process Doppelgänging,Process Injection:Process Hollowing,Query Registry,Remote System Discovery,Scheduled Task/Job:Scheduled Task,Software Discovery:Security Software Discovery,Software Discovery,Subvert Trust Controls:Code Signing,System Information Discovery,System Location Discovery:System Language Discovery,System Network Configuration Discovery,System Owner/User Discovery,System Time Discovery,User Execution:Malicious Link,Virtualization/Sandbox Evasion,Virtualization/Sandbox Evasion:Time Based Checks,Web Service,Windows Management Instrumentation
S1039Bumblebee[1]Abuse Elevation Control Mechanism:Bypass User Account Control,Archive Collected Data,Command and Scripting Interpreter:Windows Command Shell,Command and Scripting Interpreter:Visual Basic,Command and Scripting Interpreter:PowerShell,Data Encoding:Standard Encoding,Data from Local System,Debugger Evasion,Deobfuscate/Decode Files or Information,Encrypted Channel:Symmetric Cryptography,Exfiltration Over C2 Channel,Fallback Channels,Indicator Removal:File Deletion,Ingress Tool Transfer,Inter-Process Communication:Component Object Model,Masquerading:Match Legitimate Resource Name or Location,Native API,Obfuscated Files or Information,Phishing:Spearphishing Link,Phishing:Spearphishing Attachment,Process Discovery,Process Injection:Dynamic-link Library Injection,Process Injection:Asynchronous Procedure Call,Process Injection,Query Registry,Scheduled Task/Job:Scheduled Task,Shared Modules,Software Discovery:Security Software Discovery,System Binary Proxy Execution:Odbcconf,System Binary Proxy Execution:Rundll32,System Information Discovery,System Owner/User Discovery,User Execution:Malicious Link,User Execution:Malicious File,Virtualization/Sandbox Evasion:System Checks,Virtualization/Sandbox Evasion:Time Based Checks,Virtualization/Sandbox Evasion,Web Service,Windows Management Instrumentation

References

×
[8]ページ先頭
©2009-2026 Movatter.jp