Earth Alux Hackers Use VARGIET Malware to Target Organizations

A new wave of cyberattacks orchestrated by the advanced persistent threat (APT) group Earth Alux has been uncovered, revealing the use of sophisticated malware, including the VARGEIT backdoor, to infiltrate critical industries.

Linked to China, Earth Alux has been targeting organizations across the Asia-Pacific (APAC) region and Latin America since 2023, focusing on sectors such as government, technology, logistics, manufacturing, telecommunications, IT services, and retail.

The group’s primary toolset includes VARGEIT, a multi-stage backdoor capable of maintaining long-term persistence in compromised systems.

VARGEIT is often combined with other tools like COBEACON and deployed through advanced techniques such as DLL sideloading and timestomping.

These methods allow Earth Alux to evade detection while conducting cyberespionage activities that include data collection, reconnaissance, and exfiltration.

Technical Insights into the VARGEIT Backdoor

VARGEIT operates as a modular backdoor with extensive capabilities.

It enables attackers to execute commands, collect system information, and inject additional tools into processes like mspaint.exe for fileless operations.

The malware uses multiple communication channels, including HTTP, reverse TCP/UDP, and even Microsoft Outlook via Graph API.

According to Trend Micro, this versatility allows Earth Alux to maintain control over compromised systems while minimizing its footprint.

The initial stage of an attack typically involves exploiting vulnerabilities in exposed servers to implant web shells such as GODZILLA.

From there, the group deploys first-stage backdoors like COBEACON or VARGEIT using methods such as debugger scripts or encrypted payloads.

Subsequent stages leverage tools like RAILLOAD for loading encrypted configurations and RAILSETTER for persistence through timestomping and scheduled tasks.

Targeted Industries and Geographical Spread

Initially observed in APAC countries like Thailand, the Philippines, Malaysia, and Taiwan during 2023, Earth Alux expanded its reach to Latin America by mid-2024.

The group’s focus on high-value industries underscores its intent to obtain sensitive information that could disrupt operations or result in significant financial losses for targeted organizations.

To counter threats posed by Earth Alux’s advanced toolkit, organizations are advised to adopt proactive cybersecurity measures:

• Regularly patch and update systems to close vulnerabilities exploited during initial access.
• Monitor for unusual activity such as unexpected network traffic or reduced system performance.
• Deploy comprehensive security solutions that provide endpoint detection and response capabilities to identify and mitigate threats in real time.

Earth Alux’s evolving tactics highlight the importance of vigilance in today’s cybersecurity landscape.

By understanding their techniques and implementing robust defenses, organizations can reduce their risk of falling victim to these sophisticated attacks.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!