Cybersecurity researchers have shed light on a new China-linked threat actor called Earth Alux that has targeted various key sectors such as government, technology, logistics, manufacturing, telecommunications, IT services, and retail in the Asia-Pacific (APAC) and Latin American (LATAM) regions.
“The first sighting of its activity was in the second quarter of 2023; back then, it was predominantly observed in the APAC region,” Trend Micro researchers Lenart Bermejo, Ted Lee, and Theo Chen said in a technical report published Monday. “Around the middle of 2024, it was also spotted in Latin America.”
The primary targets of the adversarial collective span countries such as Thailand, the Philippines, Malaysia, Taiwan, and Brazil.
The infection chains begin with the exploitation of vulnerable services in internet-exposed web applications, using them to drop the Godzilla web shell for facilitating the deployment of additional payloads, including backdoors dubbed VARGEIT and COBEACON (aka Cobalt Strike Beacon).
VARGEIT offers the ability to load tools directly from its command-and-control (C&C) server to a newly spawned process of Microsoft Paint (“mspaint.exe”) to facilitate reconnaissance, collection, and exfiltration.
“VARGEIT is also the chief method through which Earth Alux operates supplemental tools for various tasks, such as lateral movement and network discovery in a fileless manner,” the researchers said.
A point worth mentioning here is that while VARGEIT is used as a first, second, or later-stage backdoor, COBEACON is employed as a first-stage backdoor. The latter is launched by means of a loader dubbed MASQLOADER, or via RSBINJECT, a Rust-based command-line shellcode loader.
Subsequent iterations of MASQLOADER have also been observed implementing an anti-API hooking technique that overwrites any NTDLL.dll hooks inserted by security programs to detect suspicious processes running on Windows, thereby allowing the malware and the embedded payload within it to fly under the radar.
The execution of VARGEIT results in the deployment of more tools, including a loader component codenamed RAILLOAD that’s executed using a technique known as DLL side-loading, and is used for running an encrypted payload located in a different folder.
The second payload is a persistence and timestomping module referred to as RAILSETTER that alters the timestamps associated with RAILLOAD artifacts on the compromised host, alongside creating a scheduled task to launch RAILLOAD.
 |
| VARGEIT and controller interaction |
“MASQLOADER is also being used by other groups besides Earth Alux,” Trend Micro said. “Additionally, the difference in MASQLOADER’s code structure compared to other tools such as RAILSETTER and RAILLOAD suggests that MASQLOADER’s development is separate from those toolsets.”
The most distinctive aspect of VARGEIT is its ability to support 10 different channels for C&C communications over HTTP, TCP, UDP, ICMP, DNS, and Microsoft Outlook, the last of which leverages the Graph API to exchange commands in a predetermined format using the drafts folder of an attacker-managed mailbox.
Specifically, the message from the C&C server is prepended with r_, while those from the backdoor are prefixed with p_. Among its wide range of functions is the extensive data collection and command execution, which makes it a potent malware in the threat actor’s arsenal.
“Earth Alux conducts several tests with RAILLOAD and RAILSETTER,” Trend Micro said. “These include detection tests and attempts to find new hosts for DLL side-loading. DLL side-loading tests involve ZeroEye, an open source tool popular within the Chinese-speaking community, for scanning EXE files’ import tables for imported DLLs that can be abused for side-loading.”
The hacking group has also been found to utilize VirTest, another testing tool widely used by the Chinese-speaking community, to ensure that its tools are stealthy enough to maintain long-term access to target environments.
“Earth Alux represents a sophisticated and evolving cyberespionage threat, leveraging a diverse toolkit and advanced techniques to infiltrate and compromise a range of sectors, particularly in the APAC region and Latin America,” the researchers concluded. “The group’s ongoing testing and development of its tools further indicate a commitment to refining its capabilities and evading detection.”
