Researchers in the field of cybersecurity have recently shed light on a new threat actor linked to China, known as Earth Alux, which has been targeting key sectors such as government, technology, logistics, manufacturing, telecommunications, IT services, and retail in the Asia-Pacific (APAC) and Latin American (LATAM) regions.
According to Trend Micro researchers Lenart Bermejo, Ted Lee, and Theo Chen, in a technical report published on Monday, the first sighting of Earth Alux’s activity was in the second quarter of 2023, primarily in the APAC region. By the middle of 2024, its presence was also detected in Latin America.
The primary targets of this adversarial collective include countries such as Thailand, the Philippines, Malaysia, Taiwan, and Brazil.
The infection chain commences with the exploitation of vulnerable services in internet-exposed web applications, which are then used to deploy the Godzilla web shell, facilitating the deployment of additional payloads, including backdoors dubbed VARGEIT and COBEACON (also known as Cobalt Strike Beacon).
VARGEIT offers the capability to load tools directly from its command-and-control (C&C) server to a newly spawned process of Microsoft Paint (“mspaint.exe”) to facilitate reconnaissance, collection, and exfiltration.
According to the researchers, “VARGEIT is also the primary method through which Earth Alux operates supplemental tools for various tasks, such as lateral movement and network discovery in a fileless manner.”
Notably, while VARGEIT is used as a first, second, or later-stage backdoor, COBEACON is employed as a first-stage backdoor, launched via a loader dubbed MASQLOADER or through RSBINJECT, a Rust-based command-line shellcode loader.
Subsequent iterations of MASQLOADER have been observed implementing an anti-API hooking technique that overwrites any NTDLL.dll hooks inserted by security programs to detect suspicious processes running on Windows, thereby allowing the malware and the embedded payload within it to evade detection.
The execution of VARGEIT results in the deployment of more tools, including a loader component codenamed RAILLOAD, which is executed using a technique known as DLL side-loading and is used for running an encrypted payload located in a different folder.
The second payload is a persistence and timestomping module referred to as RAILSETTER, which alters the timestamps associated with RAILLOAD artifacts on the compromised host and creates a scheduled task to launch RAILLOAD.
 |
| VARGEIT and controller interaction |
“MASQLOADER is also being used by other groups besides Earth Alux,” Trend Micro noted. “Additionally, the difference in MASQLOADER’s code structure compared to other tools such as RAILSETTER and RAILLOAD suggests that MASQLOADER’s development is separate from those toolsets.”
The most distinctive aspect of VARGEIT is its ability to support 10 different channels for C&C communications over HTTP, TCP, UDP, ICMP, DNS, and Microsoft Outlook, the last of which leverages the Graph API to exchange commands in a predetermined format using the drafts folder of an attacker-managed mailbox.
Specifically, the message from the C&C server is prepended with r_, while those from the backdoor are prefixed with p_. Among its wide range of functions is extensive data collection and command execution, making it a potent malware in the threat actor’s arsenal.
“Earth Alux conducts several tests with RAILLOAD and RAILSETTER,” Trend Micro said. “These include detection tests and attempts to find new hosts for DLL side-loading. DLL side-loading tests involve ZeroEye, an open-source tool popular within the Chinese-speaking community, for scanning EXE files’ import tables for imported DLLs that can be abused for side-loading.”
The hacking group has also been found to utilize VirTest, another testing tool widely used by the Chinese-speaking community, to ensure that its tools are stealthy enough to maintain long-term access to target environments.
“Earth Alux represents a sophisticated and evolving cyberespionage threat, leveraging a diverse toolkit and advanced techniques to infiltrate and compromise a range of sectors, particularly in the APAC region and Latin America,” the researchers concluded. “The group’s ongoing testing and development of its tools further indicate a commitment to refining its capabilities and evading detection.”
