Full Report
New Trend Micro research detailed cyber espionage techniques of Earth Alux, a China-linked APT group, are putting critical... The post Trend Micro exposes Earth Alux Chinese APT targeting critical infrastructure in APAC, Latin America appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Earth Alux
## Attribution & Identity
China-linked nation-state actor specializing in cyber espionage.
## Activity Summary
First sighted in Q2 2023, initially focused on the APAC region. By mid-2024, expanded activities into Latin America. The primary goal is cyber espionage through the theft and exfiltration of sensitive data, leading to potential operational disruption and financial losses if undetected. The group actively conducts stealth and longevity testing on its toolsets.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting vulnerable services on exposed servers.
- **Foreshadowing:** Implanting web shells, such as **GODZILLA**, to deliver first-stage backdoors.
- **Backdoor Deployment:** Utilizing **VARGEIT** (primary backdoor) and **COBEACON** (first-stage backdoor).
- **VARGEIT Loading:** Primary loading involves the use of a debugger script leveraging `cdb.exe`. Later stages use DLL sideloading techniques enhanced by **RAILLOAD** (loader component) and **RAILSETTER** (installation and timestomping tool).
- **Fileless Operations:** VARGEIT loads supplemental tools filelessly for lateral movement and network discovery.
- **C2 Communication/Execution:** Injecting tools directly into a spawned `mspaint` process for tasks like network reconnaissance, collection, and exfiltration.
- **COBEACON Loading:** Loaded either as an encrypted payload via the DLL side-loaded loader **MASQLOADER** or via shellcode using **RSBINJECT**.
- **MASQLOADER Evasion:** Employs an anti-API hooking technique by overwriting the code section of `ntdll.dll` in memory with the original file content. Decrypts payloads using a substitution cipher.
- **Data Exfiltration:** Compressing collected data and exfiltrating it to attacker-controlled cloud storage buckets.
- **Reconnaissance/Testing:** Uses the open-source tool **ZeroEye** to scan EXE files' import tables for DLLs suitable for side-loading.
## Targeting
- **Sectors:** Government, technology, logistics, manufacturing, telecommunications, IT services, and retail sectors. **Critical industries** are specifically highlighted as being at risk.
- **Geography:** Asia-Pacific (APAC) and Latin America.
- **Victims:** No specific organizations were named in the description provided.
## Tools & Infrastructure
- **Malware Families:**
- **Backdoors:** VARGEIT, COBEACON
- **Web Shells:** GODZILLA
- **Loaders/Installers:** RAILLOAD, RAILSETTER, MASQLOADER, RSBINJECT
- **Auxiliary Tools:** ZeroEye (for side-loading assessment)
- **Infrastructure:** Attacker-controlled cloud storage buckets (used for exfiltration).
- **URLs/IPs:** None explicitly detailed in a defangable format in the source material.
## Implications
Earth Alux presents a highly sophisticated and evolving cyber espionage threat. Their calculated use of multiple custom backdoors (VARGEIT) alongside commodity tools (COBEACON), combined with advanced stealth techniques like DLL sideloading and fileless execution via process injection (`mspaint`), allows for long-term persistence and extensive data exfiltration from critical infrastructure organizations.
## Mitigations
- Implement periodic patching and updating of systems to close initial access vulnerabilities (exploitable services).
- Employ vigilant security monitoring to detect unusual system performance degradation or out-of-the-ordinary network activity.
- Utilize comprehensive security solutions that provide proactive prevention, detection, and response capabilities aligned against advanced persistent threats.
- Monitor for suspicious DLL sideloading attempts and unusual process injection activities targeting standard system processes like `mspaint`.