Description
[EXOTIC LILY](https://attack.mitre.org/groups/G1011) is a financially motivated group that has been closely linked with [Wizard Spider](https://attack.mitre.org/groups/G0102) and the deployment of ransomware including [Conti](https://attack.mitre.org/software/S0575) and [Diavol](https://attack.mitre.org/software/S0659). [EXOTIC LILY](https://attack.mitre.org/groups/G1011) may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.(Citation: Google EXOTIC LILY March 2022)
Techniques Used (TTPs)
- T1566.003 — Spearphishing via Service (initial-access)
- T1585.001 — Social Media Accounts (resource-development)
- T1566.001 — Spearphishing Attachment (initial-access)
- T1203 — Exploitation for Client Execution (execution)
- T1566.002 — Spearphishing Link (initial-access)
- T1204.002 — Malicious File (execution)
- T1585.002 — Email Accounts (resource-development)
- T1102 — Web Service (command-and-control)
- T1594 — Search Victim-Owned Websites (reconnaissance)
- T1204.001 — Malicious Link (execution)
- T1597 — Search Closed Sources (reconnaissance)
- T1583.001 — Domains (resource-development)
- T1593.001 — Social Media (reconnaissance)
- T1589.002 — Email Addresses (reconnaissance)
- T1608.001 — Upload Malware (resource-development)
Total TTPs: 15