Analytics Story: Earth Alux

Date: 2025-04-16 ID: 91e57890-73bb-4d98-8c47-8d6ca53c033c Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Earth Alux is a sophisticated espionage threat actor targeting government, technology, logistics, manufacturing, telecommunications, and IT services sectors primarily in the APAC region and Latin America, using advanced techniques for information theft through a combination of webshells, process injection, DLL side-loading, and credential theft.

Why it matters

Earth Alux employs multiple custom tools including VARGEIT, RAILLOAD, RAILSETTER, and COBEACON to establish persistence, steal credentials, and maintain command and control. The group's initial access often involves webshells followed by the use of renamed system binaries like cdb.exe (disguised as fontdrvhost.exe) to execute shellcode. Their tactics include process injection into legitimate Windows processes such as MSPaint, calc.exe, and notepad.exe, combined with sophisticated DLL side-loading techniques using tools like ZeroEye and CloneExportTable. The actor prioritizes credential theft from browsers and uses cloud storage buckets for data exfiltration after collecting and compressing sensitive information. Threat detection should focus on unusual process paths, suspicious DLL loading, credential access activity, and abnormal network connections from trusted Windows binaries.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
DLLHost with no Command Line Arguments with Network Process Injection TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Windows Credential Access From Browser Password Store Query Registry Anomaly
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Windows DLL Side-Loading In Calc DLL TTP
Windows DLL Side-Loading Process Child Of Calc DLL Anomaly
Windows Process Injection into Commonly Abused Processes Portable Executable Injection Anomaly
Windows Process Injection into Notepad Portable Executable Injection Anomaly
Windows Process Injection Remote Thread Portable Executable Injection TTP
Windows Process Injection With Public Source Path Portable Executable Injection Hunting
Windows Suspicious Process File Path Create or Modify System Process, Match Legitimate Resource Name or Location TTP
Windows Unsigned DLL Side-Loading DLL Anomaly
Windows Unsigned MS DLL Side-Loading DLL, Boot or Logon Autostart Execution Anomaly
Supernova Webshell Web Shell, External Remote Services TTP
Web JSP Request via URL External Remote Services, Exploit Public-Facing Application, Web Shell TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Nginx Access N/A nginx:plus:kv /var/log/nginx/access.log
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 8 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1