Attribution
In January 2024, an intrusion set identified as REF0657 targeted the financial services sector in South Asia. We believe these are also activities of Earth Lamia. Our telemetry data also shows Earth Lamia targeted Indian financial organisations during 2023 and early 2024. Many of the mentioned attack tactics and hacking tools in this report and those used by Earth Lamia are identical. In addition, we found a Cobalt Strike sample used by Earth Lamia connects to a C&C domain “chrome-online[.]site”. The domain certificate of “chrome-online[.]site” was found to be adopted on “149[.]104[.]23[.]176,” which has been reported as the IP address used by REF0657.
In August 2024, a report on a Mimic ransomware campaign tracked as STAC6451 was published. The report noted that some attack tactics are linked to REF0657. This report mentioned the following activities, which were likely from Earth Lamia:
- The username “helpdesk” and password “P@ssw0rd” pair created during the attack
- The use of the hacking tool “Sophosx64.exe,” which is the “GodPotato” tool. We also found the same tool with the same filename used in Earth Lamia’s attack.
- The Cobalt Strike loader…
