Trend Micro Research threat analysts released a report shedding some light on tactics and techniques used by a China-linked cyberespionage outfit they track as Earth Alux.
Initially detected in the second quarter of 2023 in the Asia-Pacific (APAC) region, Earth Alux's operations have expanded globally, with notable activity in Latin America by mid-2024. The group's primary targets include government entities, technology firms, logistics, manufacturing, telecommunications, IT services, and retail sectors.
Earth Alux’s modus operandi involves exploiting vulnerabilities in exposed servers to gain initial access. Once inside, the group deploys web shells such as GODZILLA, which serve for loading various backdoors, including Earth Alux’s primary backdoor VARGEIT and the COBEACON malware. VARGEIT is typically used as a secondary backdoor after COBEACON establishes the initial foothold.
What sets Earth Alux apart is its use of multiple advanced techniques to maintain a stealthy presence within targeted networks. VARGEIT is loaded using a debugger script that utilizes cdb.exe, commonly known as a debugger tool.
Later-stage infections employ DLL sideloading techniques through tools like RAILLOAD and RAILSETTER, designed to ensure persistence and evade detection. This helps the threat actors execute commands while maintaining an undetected presence within the compromised systems.
