Google examines ransomware scheme that utilizes fake LinkedIn profiles and Microsoft bugs

LinkedIn
LinkedIn (Image credit: Daniel Rubino / Windows Central)

What you need to know

  • Google has exposed the details of ransomware campaigns driven by a group it has named "Exotic Lily."
  • Exotic Lily leverages fake user profiles and legitimate services such as OneDrive in order to add a more personal, realistic touch to its campaigns.
  • Beyond OneDrive and LinkedIn, Exotic Lily has also utilized the weaknesses of Windows for its various efforts.

Microsoft's security teams routinely report on bad happenings going on in the cybercriminal world, including when such happenings affect the competition. But this time around, it's Google highlighting how Microsoft's services and products are being used by bad guys for bad purposes.

Google released a report exposing the operations of a group nicknamed "Exotic Lily," an Initial Access Broker (IAB). IABs infiltrate networks then auction that access to whichever cybercriminal will pay the most.

Exotic Lily's methods for infiltration are a bit more personal and crafty than those of the usual threat actor, according to Google. Here's the play: The group creates fake social media profiles, including LinkedIn profiles, utilizing easily obtainable data on employees so that the illegitimate duplicates appear authentic. They also utilize spoofed email accounts and then begin engaging with targets, establishing rapport.

Fake Linkedin Profile

Source: Google (Image credit: Source: Google)

Once there's an opening to do so, the group uses a file-sharing service such as OneDrive to deliver and mask the origins of the payload needed to set the scene for ransomware attacks. The group also exploited a now-defunct zero-day vulnerability (opens in new tab) in Windows-linked MSHTML in conjunction with its efforts to circulate malicious Office documents designed to trick users into welcoming dangerous content onto their devices.

In short, Exotic Lily has used a wide range of Microsoft services and products for maleficent purposes, and threats like fake LinkedIn profiles remain a danger. With that being said, Microsoft addressed the aforementioned MSHTML zero-day and Google has guidance in its report for what to look out for, as well as more details on the technical aspects of Exotic Lily's operations should you want to dig deeper.

Robert Carnevale is the News Editor for Windows Central. He's a big fan of Kinect (it lives on in his heart), Sonic the Hedgehog, and the legendary intersection of those two titans, Sonic Free Riders. He is the author of Cold War 2395. Have a useful tip? Send it to robert.carnevale@futurenet.com.

3 Comments
  • Ok, I need some help here.
    What is an individual job hunter or recruiter doing with Amazon Consultant to an extent where they are sharing OneDrive documents? Or, Is LinkedIn now a dating service? For this attack scenario in this article, it sure looks like LinkedIn was treated as a social media / file exchange site.
  • Ha, this makes me even more skeptical of Google. They obviously have an ulterior motive. Otherwise it would have been a joint statement addressing the issue.
  • Google shut up