Cybersecurity researchers have shed light on a new China-linked threat actor called Earth Alux that has targeted various key sectors such as government, technology, logistics, manufacturing, telecommunications, IT services, and retail in the Asia-Pacific ( APAC ) and Latin American ( LATAM ) regions.
” The first sight of its action was in the second quarter of 2023, back then, it was largely observed in the APAC place”, Trend Micro experts Lenart Bermejo, Ted Lee, and Theo Chen in a technical report published Monday. ” Around the middle of 2024, it was also spotted in Latin America”.
The main goals of the hostile social course locations such as Thailand, the Philippines, Malaysia, Taiwan, and Brazil.
The disease stores begin with the abuse of vulnerable services in internet-exposed online applications, using them to drop the online tank for facilitating the deployment of more payloads, including backdoors dubbed VARGEIT and COBEACON (aka Cobalt Strike Beacon ).
VARGEIT offers the ability to load tools directly from its command-and-control ( C&, C ) server to a newly spawned process of Microsoft Paint ( “mspaint. exe” ) to facilitate reconnaissance, collection, and exfiltration.
“VARGEIT is also the main method through which Earth Alux operates ancillary tools for various tasks, such as lateral movement and community discovery in a fileless manner”, the researchers said.
A point worth mentioning here is that while VARGEIT is used as a first, second, or later-stage backdoor, COBEACON is employed as a first-stage backdoor. The latter is launched by means of a loader dubbed MASQLOADER, or via RSBINJECT, a Rust-based command-line shellcode loader.
Subsequent iterations of MASQLOADER have also been observed implementing an anti-AP I hooking technique that overwrites any NTDLL. dll hooks inserted by security programs to detect suspicious processes running on Windows, thereby allowing the malware and the embedded payload within it to fly under the radar.
The execution of VARGEIT results in the deployment of more tools, including a loader component codenamed RAILLOAD that’s executed using a technique known as DLL side-loading, and is used for running an encrypted payload located in a different folder.
The second payload is a persistence and module referred to as RAILSETTER that alters the timestamps associated with RAILLOAD artifacts on the compromised host, alongside creating a scheduled task to launch RAILLOAD.
| VARGEIT and controller interaction |
“MASQLOADER is also being used by other groups besides Earth Alux”, Trend Micro said. ” Additionally, the difference in MASQLOADER’s code structure compared to other tools such as RAILSETTER and RAILLOAD suggests that MASQLOADER’s development is separate from those toolsets”.
The most distinctive aspect of VARGEIT is its ability to support 10 different channels for C&, C communications over HTTP, TCP, UDP, ICMP, DNS, and Microsoft Outlook, the last of which leverages the to exchange commands in a predetermined format using the drafts folder of an attacker-managed mailbox.
Specifically, the message from the C&, C server is prepended with r_, while those from the backdoor are prefixed with p_. Among its wide range of functions is the extensive data collection and command execution, which makes it a potent malware in the threat actor’s arsenal.
” Earth Alux conducts several tests with RAILLOAD and RAILSETTER”, Trend Micro said. ” These include detection tests and attempts to find new hosts for DLL side-loading. DLL side-loading tests involve ZeroEye, an open source tool popular within the Chinese-speaking community, for scanning EXE files ‘ import tables for imported DLLs that can be abused for side-loading”.
The hacking group has also been found to utilize VirTest, another testing tool widely used by the Chinese-speaking community, to ensure that its tools are stealthy enough to maintain long-term access to target environments.
” Earth Alux represents a sophisticated and evolving cyberespionage threat, leveraging a diverse toolkit and advanced techniques to infiltrate and compromise a range of sectors, particularly in the APAC region and Latin America”, the researchers concluded. ” The group’s ongoing testing and development of its tools further indicate a commitment to refining its capabilities and evading detection”.