Earth Alux, a China-linked advanced persistent threat (APT) group, has disrupted the cybersecurity landscape since 2023. Initially focusing on Asia-Pacific countries, it expanded operations to Latin America by mid-2024, targeting sectors like government, technology, logistics, and telecommunications. The group conducts extensive espionage operations, using vulnerable services on exposed servers to implant web shells such as GODZILLA, facilitating malware delivery.
The primary backdoor used by Earth Alux is VARGEIT, which maintains persistence and executes malicious operations. VARGEIT works alongside COBEACON, helping the attackers maintain control across multiple stages of their attacks. Trend Micro researchers note that the group employs sophisticated techniques to test and deploy its tools in target environments, ensuring stealth and longevity in its operations. This enables them to collect data over extended periods.
Once Earth Alux infiltrates a network, its focus shifts to long-term data collection and exfiltration. The group targets industries such as manufacturing, telecommunications, and IT services, where their activities can lead to operational disruptions and significant financial losses. VARGEIT’s capabilities, such as file manipulation, process monitoring, and command line execution, enable the attackers to stay undetected while executing their missions.
A distinctive feature of VARGEIT is its use of the mspaint injection technique. Instead of dropping files onto the system, the malware injects shellcode into mspaint.exe, making it harder for security systems to detect. This technique facilitates activities like network reconnaissance and data exfiltration, with the malware connecting to cloud storage to send sensitive information back to the attackers. The evolving sophistication of Earth Alux’s tactics showcases the growing threat of cyber espionage.
