Recent investigations into cybersecurity threats have unveiled a significant player linked to China, known as Earth Alux. This group has targeted critical sectors, including government, technology, logistics, manufacturing, telecommunications, IT services, and retail, particularly across the Asia-Pacific (APAC) and Latin American (LATAM) regions.
Trend Micro cybersecurity experts Lenart Bermejo, Ted Lee, and Theo Chen reported that Earth Alux emerged on the radar in the second quarter of 2023, initially focusing on the APAC region. By mid-2024, their activities extended to Latin America as well, underscoring the group’s expanding operational scope.
Their primary targets include countries such as Thailand, the Philippines, Malaysia, Taiwan, and Brazil. Earth Alux initiates attacks by exploiting weaknesses in internet-facing web applications, deploying the Godzilla web shell to streamline the installation of additional malicious payloads. Notably, they utilize backdoors known as VARGEIT and COBEACON (also referred to as Cobalt Strike Beacon).
VARGEIT is particularly noteworthy for its operational capabilities, which allow attackers to directly load tools from their command-and-control (C&C) server to a newly created process of Microsoft Paint, or “mspaint.exe.” This facilitates tasks such as reconnaissance, data collection, and exfiltration. The dual use of VARGEIT as a multi-stage backdoor enhances Earth Alux’s ability to perform lateral movement and conduct network reconnaissance discreetly.
COBEACON serves as the initial stage backdoor, deployed through a loader named MASQLOADER or via RSBINJECT, a command-line shellcode loader built in Rust. Recent iterations of MASQLOADER have demonstrated an anti-API hooking feature that can overwrite NTDLL.dll hooks set by security solutions, thereby evading detection.
Execution of VARGEIT leads to deploying further tools, including a loader called RAILLOAD, which employs a technique known as DLL side-loading to run encrypted payloads from alternative folders, presenting a sophisticated means to maintain persistence within compromised networks. Another payload, RAILSETTER, functions as a persistence module that manipulates timestamps associated with RAILLOAD artifacts and schedules tasks to ensure continuous operation.
Trend Micro noted that MASQLOADER is not exclusive to Earth Alux; its code structure diverges from tools like RAILSETTER and RAILLOAD, suggesting different developmental pathways. VARGEIT’s standout feature is its ability to support multiple methods for C&C communication through various channels including HTTP, TCP, UDP, ICMP, DNS, and even Microsoft Outlook, utilizing the Graph API for structured command exchanges via a compromised email draft.
Within its operational framework, communication from the C&C server is prefixed with “r_,” while backdoor messages use “p_.” Earth Alux employs various data collection functions and command execution capabilities, marking VARGEIT as a formidable instrument in their cyber arsenal. The group conducts systematic testing with its tools, including detection evasion tests and search for new exploitative opportunities, employing tools like ZeroEye, which scans DLL imports for potential side-loading attacks.
Further evidence of Earth Alux’s strategic approach includes the use of VirTest, another testing tool favored in the Chinese-speaking hacker community, to verify the stealthiness of their tools. The researchers concluded that Earth Alux epitomizes a sophisticated and evolving cyber-espionage threat, leveraging a diverse toolkit and advanced methods to infiltrate various sectors, particularly in the APAC and Latin American regions. Their ongoing tool development and testing efforts highlight a clear commitment to enhancing their capabilities and staying undetected.
