Earth Lamia Expands Arsenal to Target Multiple Industries in 2025

Earth Lamia, a China-nexus APT group, has been actively targeting industries in Brazil, India, and Southeast Asia since 2023. The actor has evolved its focus over time – from financial services to logistics, retail, IT, and public institutions – using customized tools and advanced techniques. Its arsenal includes a novel backdoor named PULSEPACK, modified open-source tools, and widespread exploitation of web-facing application vulnerabilities.

Severity Level: High

Threat Details

1. Targeted Regions: Brazil, India, Thailand, Vietnam, Indonesia, Malaysia, Philippines

2. Targeted Industries (by Timeline):

3. Custom Tools and Malware

• PULSEPACK (.NET modular backdoor)
  Plugin-based architecture; communicates via TCP (2024) and WebSocket (2025)
  Uses AES encryption, memory injection, and reflective loading
• BypassBoss: Modified from “Sharp4PrinterNotifyPotato”; used for privilege escalation
• Cobalt Strike & Brute Ratel: Used with custom loaders and encrypted shellcode
• VShell Loader: Also uses the open-source tool VOIDMAW for in-memory evasion
• DLL sideloading: Leveraging legitimate binaries (e.g., AppLaunch.exe) to load malware

4. Exploited Vulnerabilities

Earth Lamia aggressively scans & exploits the following public-facing software to gain initial access:

5. Execution

• Execution of post-exploitation scripts via certutil.exe / powershell.exe for downloading tools
• Deploys Custom Backdoor (PULSEPACK)
• Leverages legitimate binaries (e.g., AppLaunch.exe) to side load malware

6. Persistence

• Creates new user accounts (e.g., sysadmin123, helpdesk), Schedules Tasks (schtasks.exe) using plugin TKRun.dll from PULSEPACK
• Maintains persistence through modified dlls, registry modifications, hidden startup mechanisms

7. Privilege Escalation

• Tools used: GodPotato, JuicyPotato, BypassBoss
• Local admin rights leveraged to: escalate to system, extract credentials and control domain environments

8. Lateral Movement

• Uses stolen credentials or dropped tools to move inside the network
• Techniques: LSASS memory dump to extract hashes, SAM + SYSTEM hive extraction, Network scanning (with Fscan, Kscan), Proxy tunneling with Stowaway, Rakshasa

9. Defense Evasion: Cleaning Windows Application, System and Security event logs with “wevtutil.exe”

Recommendations:

1. Ensure Apache Struts2, GitLab, WordPress Plugin, JetBrains TeamCity, CyberPanel, Craft CMS, SAP NetWeaver Visual Composer are updated with the latest security patches.
2. Audit and remove suspicious accounts like sysadmin123 or helpdesk.
3. Alert on log clearing commands: wevtutil.exe cl System, Security, Application
4. Disable vulnerable services where possible (e.g., unused IIS, Apache modules).
5. Detect encoded/in-memory PowerShell usage: powershell.exe -enc, Invoke-Expression, DownloadFile
6. Detect suspicious command execution like certutil.exe downloading files or cmd.exe /c used by non-interactive users
7. Detect execution of legitimate binaries (AppLaunch.exe) loading non-standard DLLs (mscoree.dll, etc.) from user-controlled paths
8. Detect access to lsass.exe via tools like procdump, mimikatz, or suspicious use of taskmgr by non-admin users
9. Monitor file drops of suspicious DLLs (Voidmaw, encoded shellcode), especially in %Public%, %Temp%, or %AppData% paths
10. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/c26546383a7a1bd685dad3238123a1b8186c694ee11c07f6fa6daf84cbb9b96b/iocs

Source:

• https://www.trendmicro.com/en_us/research/25/e/earth-lamia.html

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.