Cybersecurity researchers are shedding light on a new China-related threat actor called Earth Alux, which targets a variety of key sectors including government, technology, logistics, manufacturing, telecommunications, IT services, retail, and more in the Asia-Pacific (APAC) and Latin America (LATAM) regions.
“The first sighting of that activity was in the second quarter of 2023. At the time, it was mainly observed in the APAC region,” Trend Micro researchers Renato Vermajo, Tedley and Teochen said in a technical report released Monday. “It was discovered in Latin America around mid-2024.”
The main targets of hostile collective span countries such as Thailand, the Philippines, Malaysia, Taiwan and Brazil.
The infection chain starts with the exploitation of vulnerable services in web applications exposed to the internet and then uses them to drop Godzilla web shells to facilitate the deployment of additional payloads, including backdoors, known as Vargeit or Cobecon (also known as Cobalt Strike Beacon).
Vargeit provides the ability to directly load tools from a Command and Control (C&C) server into newly generated processes in Microsoft Paint (“mspaint.exe”), facilitating reconnaissance, collection, and extraction.
“Vargeit is also the primary way Earth Alux operates supplementary tools for a variety of tasks, such as lateral movement and network discovery,” the researchers said.
A worth mentioning point here is that Vargeit is used as the first, second or later backdoor, while Cobeacon is adopted as the first phase backdoor. The latter is released via a loader called Masqloader, or via a rust-based command-line shellcode loader, Rsbinject.
It has also been observed that subsequent iterations of MASQLoader overwrite NTDLL.DLL hooks inserted by security programs to detect suspicious processes running on Windows, allowing malware and payloads embedded within it to fly under the radar.
Running Vargeit unfolds more tools, such as Railload, a loader component codename that is run using a technique known as DLL sideload and is used to run encrypted payloads in another folder.
The second payload is a persistence and time sit module called Railsetter that creates a scheduled task that launches Railload, as well as modifying the timestamps associated with the Railload artifacts on the compromised host.
Vargeit and controller interaction
“MasQloader is also used by other groups other than Earth Alux,” Trend Micro said. “In addition, the difference in the code structure of MasQloader compared to other tools such as Railsetter and Railload suggests that Masqloader development is separate from those toolsets.”
The most distinctive aspect of Vargeit is its ability to support 10 different channels for C&C communication via HTTP, TCP, UDP, ICMP, DNS, and Microsoft Outlook. The final aspect leverages commands that exchange graph APIs in a pre-determined format using attacker-controlled mailbox draft folders.
Specifically, messages from the C&C server are prepared with R_, but backdoor messages are marked with P_. Among its wide range of features is extensive data collection and command execution, making it a powerful malware in the arsenal of threat actors.
“Earth Alux has done some testing on Railload and Railsetter,” Trend Micro said. “These include detection tests and attempts to find new hosts for DLL sideloads. DLL sideload tests include Zeroeye, a popular open source tool within the Chinese-speaking community.
Hacking groups have also been found to utilize Virtest, another testing tool widely used by the Chinese-speaking community, to ensure that the tool is in sufficient condition to maintain long-term access to the target environment.
“Earth Alux represents the threat of sophisticated and evolving cyberspion, leveraging a diverse range of toolkits and advanced technologies to penetrate and compromise across different sectors, particularly in the APAC region and Latin America,” the researchers concluded. “The continuous testing of the group and the development of its tools further demonstrates its commitment to improving its capabilities and avoiding detection.”
Source link
