Full Report
Cybersecurity researchers have shed light on a new China-linked threat actor called Earth Alux that has targeted various key sectors such as government, technology, logistics, manufacturing, telecommunications, IT services, and retail in the Asia-Pacific (APAC) and Latin American (LATAM) regions. "The first sighting of its activity was in the second quarter of 2023; back then, it was
Analysis Summary
# Threat Actor: Earth Alux
## Attribution & Identity
China-linked threat actor. First observed in Q2 2023, initially focused on the APAC region, expanding to Latin America by mid-2024.
## Activity Summary
Earth Alux utilizes multi-stage cyber intrusions, primarily beginning with the exploitation of vulnerable services in internet-exposed web applications. Their historical activity shows a focus on cyber espionage.
## Tactics, Techniques & Procedures
- Initial access via exploitation of vulnerable internet-exposed web applications.
- Deployment of the Godzilla web shell.
- Use of multiple backdoors, including VARGEIT and COBEACON (Cobalt Strike Beacon).
- COBEACON is deployed via the MASQLOADER loader or the RSBINJECT shellcode loader.
- MASQLOADER implements anti-API hooking techniques by overwriting NTDLL.dll hooks to evade security detection.
- VARGEIT is used to load supplemental tools filelessly for reconnaissance, collection, lateral movement, and network discovery.
- VARGEIT supports communication over 10 channels, including HTTP, TCP, UDP, ICMP, DNS, and Microsoft Outlook (leveraging Graph API via the drafts folder).
- Deployment of RAILLOAD, executed via DLL side-loading.
- Deployment of RAILSETTER, a persistence and timestomping module that alters timestamps of RAILLOAD artifacts and creates a scheduled task to launch RAILLOAD.
- Detection testing using the open-source tool ZeroEye (popular in the Chinese-speaking community) to scan EXE files for vulnerable DLLs for side-loading tests.
- Use of VirTest (a tool widely used by the Chinese-speaking community) to ensure tool stealth.
## Targeting
- Sectors: Government, technology, logistics, manufacturing, telecommunications, IT services, and retail.
- Geography: Asia-Pacific (APAC) region and Latin American (LATAM) regions. The specific primary target countries mentioned are Thailand, the Philippines, Malaysia, Taiwan, and Brazil.
- Victims: Not specifically named, but entities within the mentioned sectors and geographies.
## Tools & Infrastructure
- Malware families used: Godzilla (web shell), VARGEIT (backdoor), COBEACON (Cobalt Strike Beacon, used as a first-stage backdoor), MASQLOADER (loader), RSBINJECT (Rust-based shellcode loader), RAILLOAD (loader component), RAILSETTER (persistence/timestomping module).
- Infrastructure (C2, domains, IPs - defang URLs): C&C communication relies on 10 channels, including leveraging the Microsoft Graph API for Outlook communication. (No specific external IPs/domains were defanged in the text).
## Implications
Earth Alux is assessed as a sophisticated and evolving cyberespionage threat committed to refining its capabilities and evading detection, posing a persistent risk, especially across APAC and LATAM. Their use of advanced fileless techniques (VARGEIT) and evasion methods (anti-API hooking, DLL side-loading testing) highlights a high level of operational security focus.
## Mitigations
Defend against common initial access vectors by ensuring internet-exposed web applications are patched against known vulnerabilities. Implement robust network monitoring to detect unusual C&C traffic across diverse protocols (HTTP, TCP, DNS, and ICMP/UDP). Deploy security tools capable of detecting fileless execution and anti-API hooking techniques in memory space. Monitor for suspicious scheduled tasks and scheduled task modification/abuse. Consider defenses against DLL side-loading abuse.