Listen to this Post
A China-linked advanced persistent threat (APT) group, Earth Alux, has been conducting sophisticated cyberattacks against key sectors in Asia-Pacific (APAC) and Latin America. The group employs stealthy techniques, leveraging legitimate tools and multiple covert communication channels to evade detection.
Tools & Tactics Used by Earth Alux
- VARGEIT: A malicious backdoor disguised within `mspaint.exe` (Microsoft Paint) for spying and data exfiltration.
- COBEACON (Cobalt Strike): Used for initial access and command-and-control (C2) operations.
- MASQLOADER: A loader designed to bypass security detections.
- 10+ Covert Communication Channels: Including Microsoft Outlook drafts for stealthy data exchange.
👉 Learn more: The Hacker News Report
You Should Know: Detecting and Mitigating Earth Alux Attacks
1. Detecting VARGEIT Backdoor in mspaint.exe
Check for suspicious processes and DLL injections:
Check running instances of mspaint.exe with unusual parent processes Get-Process mspaint | Select-Object Id, Path, Parent
Linux alternative (if analyzing memory dumps) volatility -f memory.dump --profile=Win10x64 pslist | grep mspaint
2. Identifying Cobalt Strike (COBEACON) Traffic
Monitor for JARM fingerprints and Beacon HTTP requests:
Use Zeek (Bro) to detect Cobalt Strike C2 traffic zeek -r traffic.pcap -C
Check for suspicious scheduled tasks (common persistence mechanism)
Get-ScheduledTask | Where-Object { $_.TaskName -like "Update" }
3. Analyzing MASQLOADER Evasion Techniques
Scan for process hollowing and reflective DLL injection:
Check for unsigned DLLs loaded into legitimate processes
Get-Process | ForEach-Object { $<em>.Modules } | Where-Object { !$</em>.IsSigned }
Use YARA rules to detect MASQLOADER payloads yara -r /path/to/malware.yar C:\Windows\System32
4. Monitoring Outlook Drafts for C2 Communication
Check for unusual Outlook items via PowerShell:
List Outlook drafts (requires Outlook COM object)
$Outlook = New-Object -ComObject Outlook.Application
$Namespace = $Outlook.GetNamespace("MAPI")
$Drafts = $Namespace.GetDefaultFolder(16) 16 = Drafts folder
$Drafts.Items | Select-Object Subject, CreationTime
5. Blocking Earth Alux Infrastructure
Update firewall rules to block known IOCs:
Linux (iptables) iptables -A INPUT -s 45.xx.xx.xx -j DROP
Windows (netsh) netsh advfirewall firewall add rule name="Block Earth Alux IP" dir=in action=block remoteip=45.xx.xx.xx
What Undercode Say
Earth Alux represents a highly sophisticated threat that abuses trusted applications (mspaint.exe, Outlook) to remain undetected. Defenders must:
– Monitor process injections (Get-Process -IncludeUserName).
– Analyze network traffic for Beaconing patterns (T1043).
– Restrict macros and disable unnecessary COM objects.
– Deploy YARA rules for memory scanning.
– Use Sysmon for deep process tracking:
<Sysmon schemaversion="4.90"> <EventFiltering> <ProcessCreate onmatch="include"> <CommandLine condition="contains">mspaint</CommandLine> </ProcessCreate> </EventFiltering> </Sysmon>
Expected Output:
- Detected VARGEIT backdoor → Terminate `mspaint.exe` and analyze memory.
- Blocked Cobalt Strike C2 → Applied firewall rules to drop malicious IPs.
- Disabled Outlook draft exfiltration → Restricted COM object access.
- Deployed YARA scans → Identified MASQLOADER payloads in memory.
🔗 Reference: The Hacker News Report
References:
Reported By: Thehackernews A – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
