Earth Lamia Develops Custom Arsenal to Target Multiple Industries

MITRE Techniques

• [T1595.001] Active Scanning: Scanning IP Blocks – Earth Lamia conducts vulnerability scans on targets’ websites (‘frequently conducted vulnerability scans to identify possible SQL injection vulnerabilities’).
• [T1595.002] Active Scanning: Vulnerability Scanning – The actor scans for vulnerabilities in public-facing servers (exploiting CVE-2017-9805, CVE-2021-22205, and others).
• [T1592] Gather Victim Host Information – Plugins collect system version, usernames, and antivirus software info (‘collects the information of the infected machine’).
• [T1583.001] Acquire Infrastructure: Domains – Uses domains like “chrome-online.site” for C2 infrastructure (‘Cobalt Strike sample connects to “chrome-online[.]site”‘).
• [T1190] Exploit Public-Facing Application – Uses SQL injection and exploits multiple vulnerabilities to gain initial access (‘primarily targets the SQL injection vulnerabilities on web applications’).
• [T1078] Valid Accounts – Creates accounts such as “sysadmin123” on SQL servers with administrator privileges (‘CREATE LOGIN sysadmin123 WITH PASSWORD …’).
• [T1059.001] Command and Scripting Interpreter: PowerShell – Uses PowerShell for downloading tools and execution (‘Using “powershell.exe” to download additional tools’).
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Executes commands via “cmd.exe” subprocesses for backdoor control (‘the backdoor process can create a subprocess called “cmd.exe”‘).
• [T1098.007] Account Manipulation: Additional Local or Domain Groups – Adds created accounts to local administrators (‘adding it to the administrators’ local group’).
• [T1136.001] Create Account: Local Account – Creates new local user accounts like “helpdesk”.
• [T1053.005] Scheduled Task/Job: Scheduled Task – Uses scheduled tasks for persistence (‘creates a scheduled task to launch the executable after a system reboot’).
• [T1505.003] Server Software Component: Web Shell – Deploys webshells to website applications (‘Deploying webshells to website applications’).
• [T1068] Exploitation for Privilege Escalation – Uses exploits like GodPotato and JuicyPotato for privilege escalation.
• [T1078.003] Valid Accounts: Local Accounts – Uses local accounts for defense evasion and persistence.
• [T1140] Deobfuscate/Decode Files or Information – Deobfuscates RC4 and AES encrypted shellcode payloads (‘uses RC4 encryption to protect the malicious shellcode’).
• [T1574.001] Hijack Execution Flow: DLL Sideloading – Employs DLL sideloading to launch malicious DLLs via legitimate executables (‘packages hacking tools into DLL files launched via DLL sideloading’).
• [T1562.001] Impair Defenses: Disable or Modify Tools – Removes or obfuscates static strings in tools to evade detection.
• [T1070.001] Indicator Removal: Clear Windows Event Logs – Cleans event logs using “wevtutil.exe”.
• [T1036.005] Masquerading: Match Legitimate Resource Name or Location – Uses legitimate binaries from security vendors for sideloading.
• [T1620] Reflective Code Loading – Loads plugins and backdoor components in memory using “Assembly.Load”.
• [T1003.001] OS Credential Dumping: LSASS Memory – Dumps credentials from LSASS memory.
• [T1003.002] OS Credential Dumping: Security Account Manager – Extracts SAM and SYSTEM hives for credentials.
• [T1087.001] Account Discovery: Local Account – Searches for local accounts (‘Account Discovery: Local Account’).
• [T1087.002] Account Discovery: Domain Account – Discovers domain accounts.
• [T1482] Domain Trust Discovery – Collects domain controller info (‘Collecting domain controller information with “nltest.exe” and “net.exe”’).
• [T1570] Lateral Tool Transfer – Transfers tools laterally inside the network.
• [T1005] Data from Local System – Collects data locally on compromised systems.
• [T1132.001] Data Encoding: Standard Encoding – Uses Base64 encoding for plugin delivery.
• [T1573.001] Encrypted Channel: Symmetric Cryptography – Uses AES encryption for communication and plugin payloads.
• [T1008] Fallback Channels – Uses fallback C2 communication methods.
• [T1105] Ingress Tool Transfer – Downloads tools onto compromised hosts.
• [T1104] Multi-Stage Channels – Utilizes multi-stage plugin loading from C2.
• [T1095] Non-Application Layer Protocol – Switches from TCP socket to WebSocket for C2 communication.
• [T1571] Non-Standard Port – Uses non-standard TCP ports for C2.
• [T1041] Exfiltration Over C2 Channel – Exfiltrates victim data over command and control channels.