Earth Alux Hackers Employ VARGIET Malware to Attack Organizations

The cybersecurity landscape has been disrupted by Earth Alux, a China-linked advanced persistent threat (APT) group actively conducting espionage operations since the second quarter of 2023.

Initially targeting the Asia-Pacific region, the group expanded its operations to Latin America by mid-2024, primarily focusing on government, technology, logistics, manufacturing, telecommunications, IT services, and retail sectors in countries including Thailand, the Philippines, Malaysia, Taiwan, and Brazil.

Earth Alux primarily gains initial access by exploiting vulnerable services in exposed servers, subsequently implanting web shells such as GODZILLA to facilitate the delivery of their malware.

The group primarily utilizes VARGEIT as its primary backdoor, alongside COBEACON, with VARGEIT employed across multiple stages of their attacks to maintain persistence and execute malicious operations.

Trend Micro researchers identified that the attackers employ sophisticated techniques to ensure stealth and longevity in target environments, regularly testing their toolsets before deployment.

Once established in a network, Earth Alux focuses on long-term data collection and exfiltration, potentially leading to disrupted operations and significant financial losses across critical industries.

VARGEIT operates as a multi-channel configurable backdoor with remarkable capabilities, including drive information collection, process monitoring, file manipulation, command line execution, and the ability to inject additional tools without leaving traces on the filesystem.

What makes this malware particularly concerning is its ability to leverage multiple communication channels, with the Outlook channel (using Graph API) being predominantly used in observed attacks.

The mspaint Injection Technique

The most distinctive aspect of VARGEIT’s operation is its unique mspaint injection technique.

Rather than dropping files onto the target system, the malware opens instances of mspaint.exe into which it injects shellcode received directly from command-and-control servers.

This technique allows Earth Alux to execute additional tools without leaving detectable artifacts on disk.

The injection process utilizes RtlCreateUserThread, VirtualAllocEx, and WriteProcessMemory APIs, as shown in this example command pattern observed during reconnaissance activities:-

C:\Windows\System32\mspaint.exe sElf98RqkF ldap   

These mspaint processes perform various malicious activities, including security event log examination, group policy discovery, network/LDAP reconnaissance, and data exfiltration.

During exfiltration operations, the malware connects to attacker-controlled cloud storage buckets, sending compressed archives of collected sensitive information.

The increasing sophistication of Earth Alux’s tactics highlights the evolving nature of cyber espionage threats facing organizations today, particularly those in strategic sectors across Asia-Pacific and Latin America regions.

Are You from SOC/DFIR Team? - Try Free Malware Research with ANY.RUN - Start Now