Earth Alux APT Group: Unveiling Its Espionage Toolkit

Researchers at Trend Micro detail a highly sophisticated cyber-espionage group actively targeting the Asia-Pacific and Latin American regions. Known as Earth Alux, this China-linked APT group leverages an intricate arsenal of tools including VARGEIT, COBEACON, and a host of custom loaders and persistence mechanisms that demonstrate its deep understanding of Windows internals and evasion tactics.

“Left undetected, the attack can maintain a foothold in the system and carry out cyberespionage,” the report warns, highlighting the long-term risks of data theft and operational disruption.

Earth Alux has cast a wide net across strategic sectors including:

• Government
• Telecommunications
• Technology
• Logistics
• Manufacturing
• IT Services
• Retail

First detected in Q2 2023 in Thailand, Malaysia, Taiwan, and the Philippines, the campaign expanded to Brazil and Latin America by mid-2024. The group’s activities reflect a strategic focus on high-value and sensitive information across different industries.

The group’s primary tool is the multi-stage VARGEIT backdoor, capable of:

• Executing remote shell commands
• Loading fileless tools into trusted Windows processes
• Performing lateral movement
• Using Microsoft Outlook’s Graph API for covert C2 communication

Meanwhile, COBEACON, another first-stage backdoor, is deployed via MASQLOADER or RSBINJECT, allowing Earth Alux to stealthily decrypt and launch encrypted payloads.

“VARGEIT is used as a first, second, and/or later-stage backdoor, while COBEACON is employed as a first-stage backdoor.”

VARGEIT deployment follows a layered strategy:

• First stage: Injected via renamed cdb.exe (a legitimate Windows debugger) disguised as fontdrvhost.exe
• Second stage: Loaded via RAILLOAD (a DLL sideloader) with configurations stored in encrypted files or the registry
• Persistence: Achieved using RAILSETTER, a timestomping and task-scheduling utility

“RAILSETTER is a persistence installer… designed to work with RAILLOAD. It timestomps and schedules tasks to ensure stealth.”

VARGEIT uses mspaint.exe as a host process to execute shellcode and inject additional tools. It can:

• Spawn multiple instances of MSPaint for separate espionage tasks
• Use anonymous pipes and named pipes for command output and interactive tools
• Execute reconnaissance, data compression, and exfiltration—all filelessly

“VARGEIT opens an instance of mspaint where a shellcode from the C&C server is to be injected,” Trend Research reveals.

Earth Alux employs the Microsoft Graph API to turn Outlook’s draft folders into a covert command-and-control (C2) channel.

• Messages from the controller are prepended with r_
• Responses from the backdoor are marked with p_
• Communications are encrypted with AES-128 and disguised in base64-encoded blobs

“The Outlook communication channel utilizes the draft folder for message exchanges… and messages are deleted to remove tracks.”

Reconnaissance tools executed via MSPaint gather:

• Active Directory structure
• Group policies
• Domain trust relationships
• Users and administrative groups
• Security configurations

Files are stored in timestamped folders and compressed into .tar.gz archives, then uploaded to attacker-controlled cloud storage buckets using credentials embedded in the malware. The same cloud storage bucket has been used to exfiltrate data from different targets.

Earth Alux continually tests and refines its tools using:

• ZeroEye: To identify legitimate apps vulnerable to DLL sideloading
• CloneExportTable: To clone DLL export tables and fool AV heuristics
• VirTest: To pinpoint and remove AV-detectable code from its binaries

Earth Alux is not just another espionage group—it’s a modular, adaptable, and persistent APT leveraging stealthy techniques like DLL sideloading, timestomping, and covert MSPaint injection to maintain access and steal sensitive information without ever dropping a file on disk.

“Earth Alux has also been observed to conduct regular tests for some of its toolsets to ensure stealth and longevity in the target environment.”

Related Posts:

• Earth Preta APT Group Evades Detection with Legitimate and Malicious Components
• Earth Preta’s Cyber Arsenal Expands: New Malware and Strategies Target APAC Governments
• Earth Estries’ Evolving Toolkit: A Deep Dive into Their Advanced Techniques
• CVE-2024-21887 and More: How Earth Estries APT Group Exploits VPNs & Servers
• Earth Lusca: China-Linked Espionage Group Targets Taiwan, Exploits Geopolitical Tensions