Google has been tracking the activities of commercial spyware vendors for years, and taking steps to protect people. Just last week, Google testified at the EU Parliamentary hearing on “Big Tech and Spyware” about the work we have done to monitor and disrupt this thriving industry.

Seven of the nine zero-day vulnerabilities our Threat Analysis Group discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors. TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors.

Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits. This makes the Internet less safe and threatens the trust on which users depend.

Today, alongside Google’s Project Zero, we are detailing capabilities we attribute to RCS Labs, an Italian vendor that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android. We have identified victims located in Italy and Kazakhstan.

Campaign Overview

All campaigns TAG observed originated with a unique link sent to the target. Once clicked, the page attempted to get the user to download and install a malicious application on either Android or iOS. In some cases, we believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity. Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity. We believe this is the reason why most of the applications masqueraded as mobile carrier applications. When ISP involvement is not possible, applications are masqueraded as messaging applications.

The page, in Italian, asks the user to install one of these applications in order to recover their account. Looking at the code of the page, we can see that only the WhatsApp download links are pointing to attacker controlled content for Android and iOS users.

iOS Drive-By

To distribute the iOS application, attackers simply followed Apple instructions on how to distribute proprietary in-house apps to Apple devices and used the itms-services protocol with the following manifest file and using com.ios.Carrier as the identifier.

The resulting application is signed with a certificate from a company named 3-1 Mobile SRL (Developer ID: 58UP7GFWAA). The certificate satisfies all of the iOS code signing requirements on any iOS devices because the company was enrolled in the Apple Developer Enterprise Program.

These apps still run inside the iOS app sandbox and are subject to the exact same technical privacy and security enforcement mechanisms (e.g. code side loading) as any App Store apps. They can, however, be sideloaded on any device and don't need to be installed via the App Store. We do not believe the apps were ever available on the App Store.

The app is broken up into multiple parts. It contains a generic privilege escalation exploit wrapper which is used by six different exploits. It also contains a minimalist agent capable of exfiltrating interesting files from the device, such as the Whatsapp database.

The app we analyzed contained the following exploits:

• CVE-2018-4344internally referred to and publicly known as LightSpeed.
• CVE-2019-8605 internally referred to as SockPort2 and publicly known as SockPuppet
• CVE-2020-3837 internally referred to and publicly known as TimeWaste.
• CVE-2020-9907 internally referred to as AveCesare.
• CVE-2021-30883 internally referred to as Clicked2, marked as being exploited in-the-wild by Apple in October 2021.
• CVE-2021-30983 internally referred to as Clicked3, fixed by Apple in December 2021.

All exploits used before 2021 are based on public exploits written by different jailbreaking communities. At the time of discovery, we believe CVE-2021-30883 and CVE-2021-30983were two 0-day exploits. In collaboration with TAG, Project Zero has published the technical analysis of CVE-2021-30983.

Android Drive-By

Installing the downloaded APK requires the victim to enable installation of applications from unknown sources. Although the applications were never available in Google Play, we have notified the Android users of infected devices and implemented changes in Google Play Protect to protect all users.

Android Implant

This analysis is based on fe95855691cada4493641bc4f01eb00c670c002166d6591fe38073dd0ea1d001 that was uploaded to VirusTotal on May 27. We have not identified many differences across versions. This is the same malware family that was described in detail by Lookout on June 16.

The Android app disguises itself as a legitimate Samsung application via its icon:

When the user launches the application, a webview is opened that displays a legitimate website related to the icon.

Upon installation, it requests many permissions via the Manifest file:

The configuration of the application is contained in the res/raw/out resource file. The configuration is encoded with a 105-byte XOR key. The decoding is performed by a native library libvoida2dfae4581f5.so that contains a function to decode the configuration. A configuration looks like the following:

Older samples decode the configuration in the Java code with a shorter XOR key.

The C2 communication in this sample is via Firebase Cloud Messaging, while in other samples, Huawei Messaging Service has been observed in use. A second C2 server is provided for uploading data and retrieving modules.

While the APK itself does not contain any exploits, the code hints at the presence of exploits that could be downloaded and executed. Functionality is present to fetch and run remote modules via the DexClassLoader API. These modules can communicate events to the main app. The names of these events show the capabilities of these modules:

TAG did not obtain any of the remote modules.

Protecting Users

This campaign is a good reminder that attackers do not always use exploits to achieve the permissions they need. Basic infection vectors and drive by downloads still work and can be very efficient with the help from local ISPs.

To protect our users, we have warned all Android victims, implemented changes in Google Play Protect and disabled Firebase projects used as C2 in this campaign.

How Google is Addressing the Commercial Spyware Industry

We assess, based on the extensive body of research and analysis by TAG and Project Zero, that the commercial spyware industry is thriving and growing at a significant rate. This trend should be concerning to all Internet users.

These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house. While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians.

Aside from these concerns, there are other reasons why this industry presents a risk to the Internet. While vulnerability research is an important contributor to online safety when that research is used to improve the security of products, vendors stockpiling zero-day vulnerabilities in secret poses a severe risk to the Internet especially if the vendor gets compromised. This has happened to multiple spyware vendors over the past ten years, raising the specter that their stockpiles can be released publicly without warning.

This is why when Google discovers these activities, we not only take steps to protect users, but also disclose that information publicly to raise awareness and help the entire ecosystem, in line with our historical commitment to openness and democratic values.

Tackling the harmful practices of the commercial surveillance industry will require a robust, comprehensive approach that includes cooperation among threat intelligence teams, network defenders, academic researchers, governments and technology platforms. We look forward to continuing our work in this space and advancing the safety and security of our users around the world.

Indicators of Compromise

Sample hashes

• APK available on VirusTotal:
  • e38d7ba21a48ad32963bfe6cb0203afe0839eca9a73268a67422109da282eae3
  • fe95855691cada4493641bc4f01eb00c670c002166d6591fe38073dd0ea1d001
  • 243ea96b2f8f70abc127c8bc1759929e3ad9efc1dec5b51f5788e9896b6d516e
  • a98a224b644d3d88eed27aa05548a41e0178dba93ed9145250f61912e924b3e9
  • c26220c9177c146d6ce21e2f964de47b3dbbab85824e93908d66fa080e13286f
  • 0759a60e09710321dfc42b09518516398785f60e150012d15be88bbb2ea788db
  • 8ef40f13c6192bd8defa7ac0b54ce2454e71b55867bdafc51ecb714d02abfd1a
  • 9146e0ede1c0e9014341ef0859ca62d230bea5d6535d800591a796e8dfe1dff9
  • 6eeb683ee4674fd5553fdc2ca32d77ee733de0e654c6f230f881abf5752696ba

Drive-by download domains

• fb-techsupport[.]com
• 119-tim[.]info
• 133-tre[.]info
• 146-fastweb[.]info
• 155-wind[.]info
• 159-windtre[.]info
• iliad[.]info
• kena-mobile[.]info
• mobilepays[.]info
• my190[.]info
• poste-it[.]info
• ho-mobile[.]online

C2 domains

• project1-c094e[.]appspot[.]com
• fintur-a111a[.]appspot[.]com
• safekeyservice-972cd[.]appspot[.]com
• comxdjajxclient[.]appspot[.]com
• comtencentmobileqq-6ffb5[.]appspot[.]com

C2 IPs

• 93[.]39[.]197[.]234
• 45[.]148[.]30[.]122
• 2[.]229[.]68[.]182
• 2[.]228[.]150[.]86

This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q2 2022. It was last updated on June 9, 2022.

April

• We terminated 138 YouTube channels and 2 Ads accounts as part of our investigation into coordinated influence operations linked to Russia. The campaign was linked to a Russian consulting firm and was sharing content in Russian that was supportive of Russia’s actions in Ukraine and Russian President Vladimir Putin and critical of NATO, Ukraine, and Ukrainian President Volodymyr Zelenskyy.
• We terminated 44 YouTube channels and 9 Ads accounts as part of our investigation into coordinated influence operations linked to Russia. The campaign was linked to the Internet Research Agency (IRA) and was sharing content in Russian, French, Arabic, and Chinese that was supportive of Russia’s 2014 invasion of Crimea and the Wagner Group’s activity in Ukraine and Africa.
• We terminated 6 YouTube channels as part of our investigation into coordinated influence operations linked to Russia. The campaign was linked to Russian state-sponsored entities and was sharing content in Russian that was supportive of pro-Russian activity in Ukraine and critical of Russian opposition politician Alexei Navalny.
• We terminated 3 YouTube channels and 1 AdSense account and blocked 1 domain from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Slovakia and Germany. The campaign was sharing content in Slovak that was supportive of Russian President Vladimir Putin and Russia’s claimed justifications for its invasion of Ukraine. We received leads from Mandiant that supported us in this investigation.
• We terminated 37 YouTube accounts and 1 Ads account and blocked 2 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Costa Rica. The campaign was linked to Noelix Media and was sharing content in Spanish that was critical of Costa Rican and Salvadoran politicians and political parties. Our findings are similar to findings reported by Meta.
• We terminated 1,546 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China and U.S. foreign affairs. These findings are consistent with our previous reports.

To protect our users, Google’s Threat Analysis Group (TAG) routinely hunts for 0-day vulnerabilities exploited in-the-wild. In 2021, we reported nine 0-days affecting Chrome, Android, Apple and Microsoft, leading to patches to protect users from these attacks.

This blog is a follow up to our July 2021 post on four 0-day vulnerabilities we discovered in 2021, and details campaigns targeting Android users with five distinct 0-day vulnerabilities:

• CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003 in Chrome
• CVE-2021-1048 in Android

We assess with high confidence that these exploits were packaged by a single commercial surveillance company, Cytrox, and sold to different government-backed actors who used them in at least the three campaigns discussed below. Consistent with findings from CitizenLab, we assess government-backed actors purchasing these exploits are located (at least) in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia.

The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched but not flagged as security issues and when these patches were fully deployed across the Android ecosystem. Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits.

Seven of the nine 0-days TAG discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors. TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors.

Campaign Deep Dives

All three campaigns delivered one-time links mimicking URL shortener services to the targeted Android users via email. The campaigns were limited — in each case, we assess the number of targets was in the tens of users. Once clicked, the link redirected the target to an attacker-owned domain that delivered the exploits before redirecting the browser to a legitimate website. If the link was not active, the user was redirected directly to a legitimate website. We've seen this technique used against journalists and other unidentified targets, and alerted those users when possible.

We assess that these campaigns delivered ALIEN, a simple Android malware in charge of loading PREDATOR, an Android implant described by CitizenLab in December 2021. ALIEN lives inside multiple privileged processes and receives commands from PREDATOR over IPC. These commands include recording audio, adding CA certificates, and hiding apps.

Campaign #1 - redirecting to SBrowser from Chrome (CVE-2021-38000)

The first campaign, detected in August 2021, used Chrome on a Samsung Galaxy S21 and the web server immediately replied with a HTTP redirect (302) pointing to the following intent URL. This URL abused a logic flaw and forced Chrome to load another URL in the Samsung Browser without user interaction or warnings.

We did not capture the subsequent stages, but assess the attackers did not have exploits for the current version of Chrome (91.0.4472) at that time, but instead used n-day exploits targeting Samsung Browser, which was running an older and vulnerable version of Chromium.

We assess with high confidence this vulnerability was sold by an exploit broker and probably abused by more than one surveillance vendor.

More technical details about this vulnerability are available in this RCA by Maddie Stone.

Related IOCs

• s.bit-li[.]com - landing page
• getupdatesnow[.]xyz - exploit delivery server

Campaign #2 - Chrome sandbox escape (CVE-2021-37973, CVE-2021-37976)

In September 2021, TAG detected a campaign where the exploit chain was delivered to a fully up-to-date Samsung Galaxy S10 running the latest version of Chrome. We recovered the exploit used to escape the Chrome Sandbox, but not the initial RCE exploit.

The sandbox escape was loaded directly as an ELF binary embedding libchrome.so and a custom libmojo_bridge.so was used to ease the communication with the Mojo IPCs. This means the renderer exploit did not enable MojoJS bindings like we often see in public exploits.

Analysis of the exploit identified two different vulnerabilities in Chrome:

• CVE-2021-37973: A use-after-free in the handling of Portals API and Fenced subframes.
• CVE-2021-37976: An information leak in memory_instrumentation.mojom.Coordinator where Global Memory Dumps can be acquired for privileged processes. These dumps include sensitive information (addresses) which can be used for ASLR bypass.

After escaping the sandbox, the exploit downloaded another exploit in /data/data/com.android.chrome/p.so to elevate privileges and install the implant. We haven’t retrieved a copy of the exploit.

Related IOCs

• shorten[.]fi - landing page
• contents-domain[.]com - exploit delivery and C2 server

Campaign #3 - Full Android 0-day exploit chain (CVE-2021-38003, CVE-2021-1048)

In October 2021, we detected a full chain exploit from an up-to-date Samsung phone running the latest version of Chrome.

The chain included two 0-day exploits:

• CVE-2021-38003: A Chrome renderer 0-day in JSON.stringify allowing the attacker to leak TheHole value and fully compromise the renderer.
• CVE-2021-1048: Unlike the previous campaign, the sandbox escape used a Linux kernel bug in the epoll() system call. This system call is reachable from the BPF sandbox and allows the attacker to escape the sandbox and compromise the system by injecting code into privileged processes. More information can be found in this RCA by Jann Horn.

Of note, CVE-2021-1048 was fixed in the Linux kernel in September 2020, over a year before this campaign. The commit was not flagged as a security issue and therefore the patch was not backported in most Android kernels. At the time of the exploit, all Samsung kernels were vulnerable; LTS kernels running on Pixel phones were recent enough and included the fix for this bug. Unfortunately, this is not the first time we have seen this happen with exploits in the wild; the 2019 Bad Binder vulnerability is another example. In both cases, the fix was not flagged as a security issue and thus not backported to all (or any) Android kernels. Attackers are actively looking for and profiting from such slowly-fixed vulnerabilities.

Related IOCs

• shorten[.]fi - landing page
• redirecting[.]page - exploit delivery and C2 server
• 8e4edb1e07ebb86784f65dccb14ab71dfd72f2be1203765b85461e65b7ed69c6 - ALIEN

Conclusion

We’d be remiss if we did not acknowledge the quick response and patching of these vulnerabilities by Google’s Chrome and Android teams. We would also like to thank Project Zero for their technical assistance in helping analyze these bugs. TAG continues to track more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors. We remain committed to updating the community as we uncover these campaigns.

Tackling the harmful practices of the commercial surveillance industry will require a robust, comprehensive approach that includes cooperation among threat intelligence teams, network defenders, academic researchers and technology platforms. We look forward to continuing our work in this space and advancing the safety and security of our users around the world.

In early March, Google’s Threat Analysis Group (TAG) published an update on the cyber activity it was tracking with regard to the war in Ukraine. Since our last update, TAG has observed a continuously growing number of threat actors using the war as a lure in phishing and malware campaigns. Government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links.

Financially motivated and criminal actors are also using current events as a means for targeting users. For example, one actor is impersonating military personnel to extort money for rescuing relatives in Ukraine. TAG has also continued to observe multiple ransomware brokers continuing to operate in a business as usual sense.

As always, we continue to publish details surrounding the actions we take against coordinated influence operations in our quarterly TAG bulletin. We promptly identify and remove any such content, but have not observed any significant shifts from the normal levels of activity that occur in the region.

Here is a deeper look at the campaign activity TAG has observed over the past two weeks:

Curious Gorge, a group TAG attributes to China's PLA SSF, has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia. While this activity largely does not impact Google products, we remain engaged and are providing notifications to victim organizations.

Recently observed IPs used in Curious Gorge campaigns:

• 5.188.108[.]119
• 91.216.190[.]58
• 103.27.186[.]23
• 114.249.31[.]171
• 45.154.12[.]167

COLDRIVER, a Russian-based threat actor sometimes referred to as Calisto, has launched credential phishing campaigns, targeting several US based NGOs and think tanks, the military of a Balkans country, and a Ukraine based defense contractor. However, for the first time, TAG has observed COLDRIVER campaigns targeting the military of multiple Eastern European countries, as well as a NATO Centre of Excellence. These campaigns were sent using newly created Gmail accounts to non-Google accounts, so the success rate of these campaigns is unknown. We have not observed any Gmail accounts successfully compromised during these campaigns.

Recently observed COLDRIVER credential phishing domains:

• protect-link[.]online
• drive-share[.]live
• protection-office[.]live
• proton-viewer[.]com

Ghostwriter, a Belarusian threat actor, recently introduced a new capability into their credential phishing campaigns. In mid-March, a security researcher released a blog post detailing a 'Browser in the Browser' phishing technique. While TAG has previously observed this technique being used by multiple government-backed actors, the media picked up on this blog post, publishing several stories highlighting this phishing capability.

Ghostwriter actors have quickly adopted this new technique, combining it with a previously observed technique, hosting credential phishing landing pages on compromised sites. The new technique, displayed below, draws a login page that appears to be on the passport.i.ua domain, overtop of the page hosted on the compromised site. Once a user provides credentials in the dialog, they are posted to an attacker controlled domain.

Recently observed Ghostwriter credential phishing domains:

• login-verification[.]top
• login-verify[.]top
• ua-login[.]top
• secure-ua[.]space
• secure-ua[.]top

The team continues to work around the clock, focusing on the safety and security of our users and the platforms that help them access and share important information. We’ll continue to take action, identify bad actors and share relevant information with others across industry and governments, with the goal of bringing awareness to these issues, protecting users and preventing future attacks. While we are actively monitoring activity related to Ukraine and Russia, we continue to be just as vigilant in relation to other threat actors globally, to ensure that they do not take advantage of everyone’s focus on this region.

On February 10, Threat Analysis Group discovered two distinct North Korean government-backed attacker groups exploiting a remote code execution vulnerability in Chrome, CVE-2022-0609. These groups' activity has been publicly tracked as Operation Dream Job and Operation AppleJeus.

We observed the campaigns targeting U.S. based organizations spanning news media, IT, cryptocurrency and fintech industries. However, other organizations and countries may have been targeted. One of the campaigns has direct infrastructure overlap with a campaign targeting security researchers which we reported on last year. The exploit was patched on February 14, 2022. The earliest evidence we have of this exploit kit being actively deployed is January 4, 2022.

We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques. It is possible that other North Korean government-backed attackers have access to the same exploit kit.

In this blog, we will walk through the observed tactics, techniques and procedures, share relevant IOCs and analyze the exploit kit used by the attackers. In line with our current disclosure policy, we are providing these details 30 days after the patch release.

Campaign targeting news media and IT companies

The campaign, consistent with Operation Dream Job, targeted over 250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors. The targets received emails claiming to come from recruiters at Disney, Google and Oracle with fake potential job opportunities. The emails contained links spoofing legitimate job hunting websites like Indeed and ZipRecruiter.

Victims who clicked on the links would be served a hidden iframe that would trigger the exploit kit.

Attacker-Owned Fake Job Domains:

• disneycareers[.]net
• find-dreamjob[.]com
• indeedus[.]org
• varietyjob[.]com
• ziprecruiters[.]org

Exploitation URLs:

• https[:]//colasprint[.]com/about/about.asp (legitimate but compromised website)
• https[:]//varietyjob[.]com/sitemap/sitemap.asp

Campaign targeting cryptocurrency and Fintech organizations

Another North Korean group, whose activity has been publicly tracked as Operation AppleJeus, targeted over 85 users in cryptocurrency and fintech industries leveraging the same exploit kit. This included compromising at least two legitimate fintech company websites and hosting hidden iframes to serve the exploit kit to visitors. In other cases, we observed fake websites — already set up to distribute trojanized cryptocurrency applications — hosting iframes and pointing their visitors to the exploit kit.

Attacker-Owned Websites:

• blockchainnews[.]vip
• chainnews-star[.]com
• financialtimes365[.]com
• fireblocks[.]vip
• gatexpiring[.]com
• gbclabs[.]com
• giantblock[.]org
• humingbot[.]io
• onlynova[.]org
• teenbeanjs[.]com

Compromised Websites (Feb 7 - Feb 9):

• www.options-it[.]com
• www.tradingtechnologies[.]com

Exploitation URLs:

• https[:]//financialtimes365[.]com/user/finance.asp
• https[:]//gatexpiring[.]com/gate/index.asp
• https[:]//humingbot[.]io/cdn/js.asp
• https[:]//teenbeanjs[.]com/cloud/javascript.asp

Exploit kit overview

The attackers made use of an exploit kit that contained multiple stages and components in order to exploit targeted users. The attackers placed links to the exploit kit within hidden iframes, which they embedded on both websites they owned as well as some websites they compromised.

The kit initially serves some heavily obfuscated javascript used to fingerprint the target system. This script collected all available client information such as the user-agent, resolution, etc. and then sent it back to the exploitation server. If a set of unknown requirements were met, the client would be served a Chrome RCE exploit and some additional javascript. If the RCE was successful, the javascript would request the next stage referenced within the script as “SBX”, a common acronym for Sandbox Escape. We unfortunately were unable to recover any of the stages that followed the initial RCE.

Careful to protect their exploits, the attackers deployed multiple safeguards to make it difficult for security teams to recover any of the stages. These safeguards included:

• Only serving the iframe at specific times, presumably when they knew an intended target would be visiting the site.
• In some email campaigns the targets received links with unique IDs. This was potentially used to enforce a one-time-click policy for each link and allow the exploit kit to only be served once.
• The exploit kit would AES encrypt each stage, including the clients’ responses with a session-specific key.
• Additional stages were not served if the previous stage failed.

Although we recovered a Chrome RCE, we also found evidence where the attackers specifically checked for visitors using Safari on MacOS or Firefox (on any OS), and directed them to specific links on known exploitation servers. We did not recover any responses from those URLs.

Example Exploit Kit:

• 03a41d29e3c9763093aca13f1cc8bcc41b201a6839c381aaaccf891204335685

The attackers made multiple attempts to use the exploit days after the vulnerability was patched on February 14, which stresses the importance of applying security updates as they become available.

Protecting Our Users

As part of our efforts to combat serious threat actors, we use results of our research to improve the safety and security of our products. Upon discovery, all identified websites and domains were added to Safe Browsing to protect users from further exploitation. We also sent all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity. We encourage any potential targets to enable Enhanced Safe Browsing for Chrome and ensure that all devices are updated.

TAG is committed to sharing our findings as a way of raising awareness with the security community, and with companies and individuals that might have been targeted or suffered from these activities. We hope that improved understanding of the tactics and techniques will enhance threat hunting capability and lead to stronger user protections across industry.

In early September 2021, Threat Analysis Group (TAG) observed a financially motivated threat actor we refer to as EXOTIC LILY, exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigating this group's activity, we determined they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike).

Initial access brokers are the opportunistic locksmiths of the security world, and it’s a full-time job. These groups specialize in breaching a target in order to open the doors—or the Windows—to the malicious actor with the highest bid.

EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. At the peak of EXOTIC LILY’s activity, we estimate they were sending more than 5,000 emails a day, to as many as 650 targeted organizations globally. Up until November 2021, the group seemed to be targeting specific industries such as IT, cybersecurity and healthcare, but as of late we have seen them attacking a wide variety of organizations and industries, with less specific focus.

We have observed this threat actor deploying tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation. Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations.

Spoofing Organizations and Identities

EXOTIC LILY’s attack chain has remained relatively consistent throughout the time we’ve been tracking the group:

One notable technique is the use of domain and identity spoofing as a way of gaining additional credibility with a targeted organization. In the majority of cases, a spoofed domain name was identical to a real domain name of an existing organization, with the only difference being a change of TLD to “.us”, “.co” or “.biz”.

Initially, the group would create entirely fake personas posing as employees of a real company. That would sometimes consist of creating social media profiles, personal websites and generating a fake profile picture using a public service to create an AI-generated human face. In November 2021, the group began to impersonate real company employees by copying their personal data from social media and business databases such as RocketReach and CrunchBase.

Using spoofed email accounts, attackers would then send spear phishing emails under the pretext of a business proposal, such as seeking to outsource a software development project or an information security service.

Attackers would sometimes engage in further communication with the target by attempting to schedule a meeting to discuss the project's design or requirements.

At the final stage, the attacker would upload the payload to a public file-sharing service (TransferNow, TransferXL, WeTransfer or OneDrive) and then use a built-in email notification feature to share the file with the target, allowing the final email to originate from the email address of a legitimate file-sharing service and not the attacker’s email, which presents additional detection challenges.

Human-Operated Phishing at Scale

Further evidence suggests an operator’s responsibilities might include:

• customizing the initial “business proposal” templates when first reaching out to a targeted organization;
• handling further communications in order to gain affinity and trust;
• uploading malware (acquired from another group) to a file-sharing service prior to sharing it with the target.

A breakdown of the actor’s communication activity shows the operators are working a fairly typical 9-to-5 job, with very little activity during the weekends. Distribution of the actor’s working hours suggest they might be working from a Central or an Eastern Europe timezone.

Malware and Attribution

Although the group came to our attention initially due to its use of documents containing an exploit for CVE-2021-40444, they later switched to the delivery of ISO files with hidden BazarLoader DLLs and LNK shortcuts. These samples have some indicators that suggest they were custom-built to be used by the group. For example, metadata embedded in the LNK shortcuts shows that a number of fields, such as the “Machine Identifier” and “Drive Serial Number” were shared with BazarLoader ISOs distributed via other means, however other fields such as the command line arguments were unique for samples distributed by EXOTIC LILY.

In March, the group continued delivering ISO files, but with a DLL containing a custom loader which is a more advanced variant of a first-stage payload previously seen during CVE-2021-40444 exploitation. The loader can be recognized by its use of a unique user-agent “bumblebee” which both variants share. The malware, hence dubbed BUMBLEBEE, uses WMI to collect various system details such as OS version, user name and domain name, which are then exfiltrated in JSON format to a C2. In response, it expects to receive one of the several supported “tasks”, which include execution of shellcode, dropping and running executable files. At the time of the analysis, BUMBLEBEE was observed to fetch Cobalt Strike payloads.

EXOTIC LILY activities overlap with a group tracked as DEV-0413 (Microsoft) and were also described by Abnormal in their recent post. Earlier reports of attacks exploiting CVE-2021-40444 (by Microsoft and other members of the security community) have also indicated overlaps between domains involved in the delivery chain of an exploit and infrastructure used for BazarLoader and Trickbot distribution.

We believe the shift to deliver BazarLoader, along with some other indicators such as a unique Cobalt Strike profile (described by RiskIQ) further confirms the existence of a relationship between EXOTIC LILY and actions of a Russian cyber crime group tracked as WIZARD SPIDER (CrowdStrike), FIN12 (Mandiant, FireEye) and DEV-0193 (Microsoft). While the nature of those relationships remains unclear, EXOTIC LILY seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors.

Improving User Protection

As part of our efforts to combat serious threat actors, we use results of our research to improve the safety and security of our products. In collaboration with Gmail and Safe Browsing, we are improving protections by adding additional warnings for emails originating from website contact forms, better identification of spoofing, and adjusting the reputation of email file sharing notifications. Additionally, we’re working with Google’s CyberCrime Investigation Group to share relevant details and indicators with law enforcement.

TAG is committed to sharing our findings as a way of raising awareness with the security community, and with companies and individuals that might have been targeted or suffered from this threat actor’s activities. We hope that improved understanding of the group’s tactics and techniques will enhance threat hunting capability and lead to stronger user protections across industry.

Indicators of Compromise (IOCs)

Recent domains used in email campaigns:

• conlfex[.]com
• avrobio[.]co
• elemblo[.]com
• phxmfg[.]co
• modernmeadow[.]co
• lsoplexis[.]com
• craneveyor[.]us
• faustel[.]us
• lagauge[.]us
• missionbio[.]us
• richllndmetals[.]com
• kvnational[.]us
• prmflltration[.]com
• brightlnsight[.]co
• belcolnd[.]com
• awsblopharma[.]com
• amevida[.]us
• revergy[.]us
• al-ghurair[.]us
• opontia[.]us

BazarLoader ISO samples:

• 5ceb28316f29c3912332065eeaaebf59f10d79cd9388ef2a7802b9bb80d797be
• 9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269
• c896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7

Recent BUMBLEBEE ISO samples:

• 9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32
• 6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8
• 201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9
• 1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd
• 01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225

Recent BUMBLEBEE C2:

• 23.81.246[.]187:443

In early September 2021, Threat Analysis Group (TAG) observed a financially motivated threat actor we refer to as EXOTIC LILY, exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigating this group's activity, we determined they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike).

Initial access brokers are the opportunistic locksmiths of the security world, and it’s a full-time job. These groups specialize in breaching a target in order to open the doors—or the Windows—to the malicious actor with the highest bid.

EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. At the peak of EXOTIC LILY’s activity, we estimate they were sending more than 5,000 emails a day, to as many as 650 targeted organizations globally. Up until November 2021, the group seemed to be targeting specific industries such as IT, cybersecurity and healthcare, but as of late we have seen them attacking a wide variety of organizations and industries, with less specific focus.

We have observed this threat actor deploying tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation. Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations.

Spoofing Organizations and Identities

EXOTIC LILY’s attack chain has remained relatively consistent throughout the time we’ve been tracking the group:

One notable technique is the use of domain and identity spoofing as a way of gaining additional credibility with a targeted organization. In the majority of cases, a spoofed domain name was identical to a real domain name of an existing organization, with the only difference being a change of TLD to “.us”, “.co” or “.biz”.

Initially, the group would create entirely fake personas posing as employees of a real company. That would sometimes consist of creating social media profiles, personal websites and generating a fake profile picture using a public service to create an AI-generated human face. In November 2021, the group began to impersonate real company employees by copying their personal data from social media and business databases such as RocketReach and CrunchBase.

Using spoofed email accounts, attackers would then send spear phishing emails under the pretext of a business proposal, such as seeking to outsource a software development project or an information security service.

Attackers would sometimes engage in further communication with the target by attempting to schedule a meeting to discuss the project's design or requirements.

At the final stage, the attacker would upload the payload to a public file-sharing service (TransferNow, TransferXL, WeTransfer or OneDrive) and then use a built-in email notification feature to share the file with the target, allowing the final email to originate from the email address of a legitimate file-sharing service and not the attacker’s email, which presents additional detection challenges.

Human-Operated Phishing at Scale

Further evidence suggests an operator’s responsibilities might include:

• customizing the initial “business proposal” templates when first reaching out to a targeted organization;
• handling further communications in order to gain affinity and trust;
• uploading malware (acquired from another group) to a file-sharing service prior to sharing it with the target.

A breakdown of the actor’s communication activity shows the operators are working a fairly typical 9-to-5 job, with very little activity during the weekends. Distribution of the actor’s working hours suggest they might be working from a Central or an Eastern Europe timezone.

Malware and Attribution

Although the group came to our attention initially due to its use of documents containing an exploit for CVE-2021-40444, they later switched to the delivery of ISO files with hidden BazarLoader DLLs and LNK shortcuts. These samples have some indicators that suggest they were custom-built to be used by the group. For example, metadata embedded in the LNK shortcuts shows that a number of fields, such as the “Machine Identifier” and “Drive Serial Number” were shared with BazarLoader ISOs distributed via other means, however other fields such as the command line arguments were unique for samples distributed by EXOTIC LILY.

In March, the group continued delivering ISO files, but with a DLL containing a custom loader which is a more advanced variant of a first-stage payload previously seen during CVE-2021-40444 exploitation. The loader can be recognized by its use of a unique user-agent “bumblebee” which both variants share. The malware, hence dubbed BUMBLEBEE, uses WMI to collect various system details such as OS version, user name and domain name, which are then exfiltrated in JSON format to a C2. In response, it expects to receive one of the several supported “tasks”, which include execution of shellcode, dropping and running executable files. At the time of the analysis, BUMBLEBEE was observed to fetch Cobalt Strike payloads.

EXOTIC LILY activities overlap with a group tracked as DEV-0413 (Microsoft) and were also described by Abnormal in their recent post. Earlier reports of attacks exploiting CVE-2021-40444 (by Microsoft and other members of the security community) have also indicated overlaps between domains involved in the delivery chain of an exploit and infrastructure used for BazarLoader and Trickbot distribution.

We believe the shift to deliver BazarLoader, along with some other indicators such as a unique Cobalt Strike profile (described by RiskIQ) further confirms the existence of a relationship between EXOTIC LILY and actions of a Russian cyber crime group tracked as WIZARD SPIDER (CrowdStrike), FIN12 (Mandiant, FireEye) and DEV-0193 (Microsoft). While the nature of those relationships remains unclear, EXOTIC LILY seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors.

Improving User Protection

As part of our efforts to combat serious threat actors, we use results of our research to improve the safety and security of our products. In collaboration with Gmail and Safe Browsing, we are improving protections by adding additional warnings for emails originating from website contact forms, better identification of spoofing, and adjusting the reputation of email file sharing notifications. Additionally, we’re working with Google’s CyberCrime Investigation Group to share relevant details and indicators with law enforcement.

TAG is committed to sharing our findings as a way of raising awareness with the security community, and with companies and individuals that might have been targeted or suffered from this threat actor’s activities. We hope that improved understanding of the group’s tactics and techniques will enhance threat hunting capability and lead to stronger user protections across industry.

Indicators of Compromise (IOCs)

Recent domains used in email campaigns:

• conlfex[.]com
• avrobio[.]co
• elemblo[.]com
• phxmfg[.]co
• modernmeadow[.]co
• lsoplexis[.]com
• craneveyor[.]us
• faustel[.]us
• lagauge[.]us
• missionbio[.]us
• richllndmetals[.]com
• kvnational[.]us
• prmflltration[.]com
• brightlnsight[.]co
• belcolnd[.]com
• awsblopharma[.]com
• amevida[.]us
• revergy[.]us
• al-ghurair[.]us
• opontia[.]us

BazarLoader ISO samples:

• 5ceb28316f29c3912332065eeaaebf59f10d79cd9388ef2a7802b9bb80d797be
• 9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269
• c896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7

Recent BUMBLEBEE ISO samples:

• 9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32
• 6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8
• 201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9
• 1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd
• 01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225

Recent BUMBLEBEE C2:

• 23.81.246[.]187:443

Online security is extremely important for people in Ukraine and the surrounding region right now. Government agencies, independent newspapers and public service providers need it to function and individuals need to communicate safely. Google’s Threat Analysis Group (TAG) has been working around the clock, focusing on the safety and security of our users and the platforms that help them access and share important information.

This work continues our longstanding efforts to take action against threat actors in this region. In the last 12 months, TAG has issued hundreds of government-backed attack warnings to Ukrainian users alerting them that they have been the target of government backed hacking, largely emanating from Russia.

Over the past two weeks, TAG has observed activity from a range of threat actors that we regularly monitor and are well-known to law enforcement, including FancyBear and Ghostwriter. This activity ranges from espionage to phishing campaigns. We’re sharing this information to help raise awareness among the security community and high risk users:

FancyBear/APT28, a threat actor attributed to Russia GRU, has conducted several large credential phishing campaigns targeting ukr.net users, UkrNet is a Ukrainian media company. The phishing emails are sent from a large number of compromised accounts (non-Gmail/Google), and include links to attacker controlled domains.

In two recent campaigns, the attackers used newly created Blogspot domains as the initial landing page, which then redirected targets to credential phishing pages. All known attacker-controlled Blogspot domains have been taken down.

Example credential phishing domains observed during these campaigns:

• id-unconfirmeduser[.]frge[.]io
• hatdfg-rhgreh684[.]frge[.]io
• ua-consumerpanel[.]frge[.]io
• consumerspanel[.]frge[.]io

Ghostwriter/UNC1151, a Belarusian threat actor, has conducted credential phishing campaigns over the past week against Polish and Ukrainian government and military organizations. TAG has also identified campaigns targeting webmail users from the following providers:

• i.ua
• meta.ua
• rambler.ru
• ukr.net
• wp.pl
• yandex.ru

Example credential phishing domains observed during these campaigns:

• accounts[.]secure-ua[.]website
• i[.]ua-passport[.]top
• login[.]creditals-email[.]space
• post[.]mil-gov[.]space
• verify[.]rambler-profile[.]site

These phishing domains have been blocked through Google Safe Browsing – a service that identifies unsafe websites across the web and notifies users and website owners of potential harm.

Mustang Panda or Temp.Hex, a China-based threat actor, targeted European entities with lures related to the Ukrainian invasion. TAG identified malicious attachments with file names such as 'Situation at the EU borders with Ukraine.zip'. Contained within the zip file is an executable of the same name that is a basic downloader and when executed, downloads several additional files that load the final payload. To mitigate harm, TAG alerted relevant authorities of its findings.

Targeting of European organizations has represented a shift from Mustang Panda’s regularly observed Southeast Asian targets.

DDoS Attacks

We continue to see DDoS attempts against numerous Ukraine sites, including the Ministry of Foreign Affairs, Ministry of Internal Affairs, as well as services like Liveuamap that are designed to help people find information. We expanded eligibility for Project Shield, our free protection against DDoS attacks, so that Ukrainian government websites, embassies worldwide and other governments in close proximity to the conflict can stay online, protect themselves and continue to offer their crucial services and ensure access to the information people need.

Project Shield allows Google to absorb the bad traffic in a DDoS attack and act as a “shield” for websites, allowing them to continue operating and defend against these attacks. As of today, over 150 websites in Ukraine, including many news organizations, are using the service. We encourage all eligible organizationsto register for Project Shield so our systems can help block these attacks and keep websites online.

We’ll continue to take action, identify bad actors and share relevant information with others across industry and governments, with the goal of bringing awareness to these issues, protecting users and preventing future attacks. And while we are actively monitoring activity related to Ukraine and Russia, we continue to be just as vigilant in relation to other threat actors globally, to ensure that they do not take advantage of everyone’s focus on this region.