New Cyber Espionage Campaign
Cybersecurity researchers have identified Earth Alux, a China-linked threat actor, targeting industries such as government, technology, logistics, telecommunications, and retail in the Asia-Pacific (APAC) and Latin America (LATAM) regions.
Attack Tactics & Malware Used
- Initial Access: Exploiting vulnerable web applications to deploy Godzilla web shell and drop malware.
- Key Malware:
- VARGEIT: A backdoor that loads tools via mspaint.exe for reconnaissance and lateral movement.
- COBEACON: A first-stage backdoor, delivered via MASQLOADER or RSBINJECT, with anti-API hooking capabilities.
- Evasion Techniques:
- DLL Side-Loading: Using RAILLOAD to run encrypted payloads stealthily.
- Timestomping & Persistence: RAILSETTER modifies timestamps and sets up scheduled tasks.
- Multi-Channel C2 Communication: Uses HTTP, TCP, UDP, ICMP, DNS, and Microsoft Outlook’s Graph API for stealthy data exchange.
Advanced Testing & Adaptation
Earth Alux leverages ZeroEye (for DLL side-loading detection) and VirTest (for security evasion testing) to refine its attack methods and avoid detection.
Conclusion
Earth Alux is a highly advanced cyberespionage threat, continuously evolving its tactics to infiltrate APAC and LATAM organizations. Strengthening threat detection, endpoint security, and proactive monitoring is crucial to defense.
