Cybersecurity researchers shed light on a new actor associated with China, called Earth Alux This is aimed at various key sectors such as government, technology, logistics, production, telecommunications, IT services and retail trade in the Asia-Pacific regions (APAC) and Latin American (Latam).
“The first observation of his activities took place in the second quarter of 2023; then the APAC region was noted,” – Trend Micro Researchers Lenart Bermejj, Ted Lee and Theo Cheen – Note In a technical report published on Monday. “He was also spotted in Latin America near the mid -2024.”
The main goals of the countries on collective flights competitions such as Thailand, Philippines, Malaysia, Taiwan and Brazil.
The infection networks begin with the operation of vulnerable services in Internet web applications using them to refuse Godl Web Shell to facilitate the deployment of additional useful loads, including the posterior name VARGEIT and COBEACON (aka Cobalt Strike Beacon).
Vargeit offers the ability to download tools directly from the team server and control (C&C) to the recently generated Microsoft paint process (“MSPAINT.EXE”) to facilitate intelligence, collection and expansion.
“Varheyt is also the main method that makes Earth ALUX additional tools for different tasks, such as lateral movement and network opening in a ruthless manner,” the researchers said.
It should be noted here that while Varheyt is used as the first, second or later stage stage, Cobeaacon is used as the back. The latter is launched by a loader called Masqloader, or via RSBinject, a rusty forklift of the Shellcode command line.
The following Masqloader’s subsequent iterations were also observed in the implementation of an API connection technique that rewrites any Ntdll.dll hooks Inserted safety programs to identify suspicious processes running on Windows, allowing malicious software and built -in useful load to fly under the radar.
Performing Vargeit leads to the deployment of additional tools, including the forklift component called Railload, which is performed by a technique known as DLL downloading and used to start an encrypted useful load located in another folder.
The second useful load is perseverance and TimestomPing The module called Railsetter, which changes temporary tags related to Railload’s artifacts on the compromised host, and the creation of the planned task for launching Railload.
![]() |
Interaction Vargeit and Controller |
“Masqloader is also used by other groups except the Earth ALUX,” said Trend Micro. “In addition, the difference in the Masqloader code structure compared to other tools such as Railsetter and Railload suggests that the development of Masqloader is separate from these tools.”
The most distinctive aspect of Vargeit is its ability to maintain 10 different channels for C&C via HTTP, TCP, UDP, ICMP, DNS and Microsoft Outlook, the latter of which uses API schedule To share teams in a predetermined format, using a folder of a mailbox aimed at the attacker.
In particular, the message from the C&C server consists of R_, while those from the back, prefix with P_. Among its wide range of features is a wide data collection and execution of teams, making it a powerful malicious software in the arsenal of the actor threat.
“The Alux land conducts several tests with Railload and Railsetter,” said Trend Micro. “These include detection tests and attempts to find new hosts to download DLL. Dll download tests provides Zeroeye, an open source tool, popular in the Chinese community, for scanning Exe import tables for imported DLL, which can be abused.”
The hacking group has also been found to use a prominent, another tool for testing, which is widely used by the Chinese community to make sure its tools would be sufficiently escaping to maintain long -term access to the target conditions.
“The Aluxe Earth is a complex and developed threat to cyberspions, using a variety of instrumental tools and advanced methods for penetration and compromise in a number of sectors, especially in the APAC and Latin America region,” the researchers concluded. “Testing and development of the group continues to further indicate the commitment to clarify their capabilities and evasion.”