Recent Google threat report exposes access broker linked to Conti and Diavol ransomware operations

This week, Google’s Threat Analysis Group has exposed the operations of EXOTIC LILY threat group who are believed to be an initial access broker linked to the Conti and Diavol ransomware operations. They were first spotted when they were exploiting a zero-day vulnerability in Microsoft MSHTML and then based on further investigations, it was determined that they were using large-scale phishing campaigns to target and breach corporate networks and the gained access would be sold to ransomware gangs and other threat actor groups.

Based on observations of the threat group, it has determined they’re involved with ransomware gang Conti as they were observed deploying the BazarLoader malware on victims’ networks through download links of popular file transfer sites like WeTransfer, or OneDrive. Their attack chain seem to follow a strict order of registering a spoofed domain, then using it to send emails, build a relationship with the target, and finally share a payload via a file-hosting service. They have also been seen creating fake LinkedIn accounts where they would claim to work for the organisation they were spoofing and use AI-generated or stolen images from actual employee to help build out their fake account.