New Trend Micro research detailed cyber espionage techniques of Earth Alux, a China-linked APT group, are putting critical industries at risk. These attacks, aimed at the APAC and Latin American regions, leverage powerful tools and techniques to remain hidden while stealing sensitive data. Left undetected, the attack can maintain a foothold in the system and carry out cyber espionage. The long-term collection and exfiltration of data could lead to far-reaching consequences, such as disrupted operations and financial losses.
Actively launching cyber espionage attacks against the government, technology, logistics, manufacturing, telecommunications, IT services, and retail sectors, Trend Micro said that the first sighting of its activity was in the second quarter of 2023; back then, it was mainly observed in the APAC region. Around the middle of 2024, it was also spotted in Latin America. Earth Alux has also been observed to conduct regular tests for some of its toolsets to ensure stealth and longevity in the target environment.
“To gain entry into the system, Earth Alux mostly exploits vulnerable services in exposed servers. It then implants web shells such as GODZILLA to facilitate the delivery of its backdoors,” Lenart Bermejo, Ted Lee, and Theo Chen, Trend Micro researchers, wrote in a blog post this week. “It has mainly utilized VARGEIT as its primary backdoor and control tool, along with COBEACON. VARGEIT is used as a first, second, and/or later-stage backdoor, while COBEACON is employed as a first-stage backdoor. This is distinguishable in the way VARGEIT is loaded: the first stage utilizes loading via a debugger script using cdb.exe, while later stages use DLL sideloading, which can include execution guardrails and timestomping techniques via the RAILLOAD (loader component) and RAILSETTER (installation and timestomping tool).”
They added that VARGEIT is also the chief method through which Earth Alux operates supplemental tools for various tasks, such as lateral movement and network discovery in a fileless manner. “Among its various backdoor functions is the ability to load tools directly from its command-and-control (C&C) server to a spawned process of mspaint. As such, several mspaint processes can be observed performing tasks for the backdoor, including network reconnaissance, collection, and exfiltration.”
Employing a variety of advanced tactics, techniques, and procedures (TTPs) to facilitate its scheme, Earth Alux primarily utilizes vulnerable services in exposed servers for gaining initial access and for implanting web shells such as GODZILLA to allow delivery of its first-stage backdoors. Upon gaining control via the implanted webshell, Earth Alux installs a first-stage backdoor, either COBEACON or VARGEIT, through different loading methods.
Used among many threat actors, COBEACON is also among the tools used by Earth Alux. It is primarily used as a first-stage backdoor and loaded as an encrypted payload of the DLL side-loaded MASQLOADER or as a shellcode using RSBINJECT.
The MASQLOADER is the first observed method for executing COBEACON payloads, functioning as a DLL side-loaded loader. It decrypts its payload using a substitution cipher, where the encrypted data consists of 1-3 character strings mapped to hex values via a substitution table. Later versions of MASQLOADER introduced an anti-API hooking technique that overwrites the code section of ntdll[dot]dll in memory with the original code from the file, allowing it to evade detection by security tools that monitor API calls.
“Our telemetry suggests MASQLOADER is also being used by other groups besides Earth Alux,” the researchers said. “Additionally, the difference in MASQLOADER’s code structure compared to other tools such as RAILSETTER and RAILLOAD suggests that MASQLOADER’s development is separate from those toolsets.”
The researchers found that another tool used by Earth Alux to load COBEACON is RSBINJECT, a Rust-based command-line shellcode loader. “It does not have decryption routines and loads the shellcodes directly. Instead, it has other features that help test the shellcode using optional flags and subcommands. While RSBINJECT has been observed in attacks, its functionality suggests that it also doubles as a testing tool for shellcodes. Like MASQLOADER, this tool is likely not exclusive to Earth Alux.”
VARGEIT’s backdoor capabilities include collecting system information, communicating using different channels, interacting with Windows Defender Firewall, collecting drive information, and collecting running processes information. It also can get, set, search, create, and delete directories; read and write to file; execute command lines; and inject miscellaneous tools to a controlled mspaint or conhost instance.
Attackers use the mspaint injection to directly execute additional tools from the C&C server to the target machine without file landing. VARGEIT opens an instance of mspaint where a shellcode from the C&C server is to be injected.
Earth Alux also deploys an exfiltration tool using this method to exfiltrate the compressed file created during the collection stage. The exfiltrated data is sent to an attacker-controlled cloud storage bucket. Based on Trend Micro’s telemetry, Earth Alux has used the same cloud storage bucket to exfiltrate from different targets.
“Earth Alux conducts several tests with RAILLOAD and RAILSETTER. These include detection tests and attempts to find new hosts for DLL side-loading,” the researchers said. “DLL side-loading tests involve ZeroEye, an open source tool popular within the Chinese-speaking community, for scanning EXE files’ import tables for imported DLLs that can be abused for side-loading.”
Earth Alux represents a highly sophisticated and evolving cyber espionage threat, utilizing a diverse array of tools and advanced techniques to infiltrate and compromise various sectors, particularly in the Asia-Pacific region and Latin America. Its strategic use of the VARGEIT backdoor, along with COBEACON and multiple loading methods, underscores a calculated approach to maintaining stealth and persistence within targeted environments.
The group’s continuous testing and development of its tools demonstrate a strong commitment to enhancing its capabilities and avoiding detection. Gaining a deep understanding of Earth Alux’s operational methods is essential for developing effective defenses and mitigating the risks posed by such advanced cyber threats.
To bolster protection against APT attacks, organizations can adopt a proactive security mindset by implementing security best practices such as periodically patching and updating systems used, as attackers can take advantage of vulnerabilities to gain initial access. They can also perform vigilant monitoring to observe any unusual activity, such as an uncommonly heavy network activity, reduced performance and speed, and so on, and leverage solutions that help organizations take a proactive security stance and manage security holistically with comprehensive prevention, detection, and response capabilities.
