Google’s threat intelligence team has uncovered a financially motivated attacker acting as a go-between for Russian hackers, including the Conti ransomware gang.
The group, which Google calls “foreign lilies,” acts as a first-line broker, finding vulnerable organizations and selling access to its network to the highest bidder. By outsourcing initial access to the victim’s network, ransomware gangs like Conti can focus on the execution phase of the attack.
In the case of Alien Lilly, this early access was achieved through email campaigns in which the group masqueraded as legitimate organizations and employees through domain and identity spoofing. In most cases, the fake domain was almost identical to the real domain name of the existing organization, but the top-level domain was changed to “.us”, “.co”, or “.biz”. To look like legitimate employees, Alien Lilly created social media profiles and artificial intelligence-generated images of human faces.
The attackers, who according to Google operate outside of Central or Eastern Europe due to the attackers’ working hours, then send out phishing emails under the guise of a commercial offer before uploading the payload to a public file-sharing service. . . . , such as WeTransfer or Microsoft OneDrive.
“This level of human interaction is quite unusual for cybercriminal groups targeting large-scale operations,” Google researchers Vlad Stolyarov and Benoit Sevens noted in a blog post published by gaming-updates ahead of publication.
These malicious payloads were originally documents containing a zero-day exploit in the Microsoft MSHTML browser engine (tracked as CVE-2021-40444) before the attackers discovered ISO discs with a hidden BazarLoader payload. Google researchers say this change confirms Alien Lilly’s ties to a Russian cybercriminal group tracked as Wizard Spider (aka UNC1878), which was linked to the infamous Ryuk ransomware that was used to attack businesses and hospitals, including the US-based Universal. health services. and government agencies since 2018.
While the nature of this relationship remains unclear, Google says Alien Lilly operates as a separate entity focused on gaining early access through email campaigns, as well as implementing the Conti and Diavol ransomware.
Alien Lilly, first seen in September 2021 and still active, sent over 5,000 phishing emails per day to more than 650 organizations during its peak. While the group initially appeared to target specific sectors such as IT, cybersecurity and healthcare, it has recently begun targeting a wider range of organizations and sectors with a less specific focus.
Google also shared Lilly’s bulk email campaign Indicators of Compromise (IOC) to help organizations secure their networks.