Analytics Story: Earth Alux
Description
Earth Alux is a sophisticated espionage threat actor targeting government, technology, logistics, manufacturing, telecommunications, and IT services sectors primarily in the APAC region and Latin America, using advanced techniques for information theft through a combination of webshells, process injection, DLL side-loading, and credential theft.
Why it matters
Earth Alux employs multiple custom tools including VARGEIT, RAILLOAD, RAILSETTER, and COBEACON to establish persistence, steal credentials, and maintain command and control. The group's initial access often involves webshells followed by the use of renamed system binaries like cdb.exe (disguised as fontdrvhost.exe) to execute shellcode. Their tactics include process injection into legitimate Windows processes such as MSPaint, calc.exe, and notepad.exe, combined with sophisticated DLL side-loading techniques using tools like ZeroEye and CloneExportTable. The actor prioritizes credential theft from browsers and uses cloud storage buckets for data exfiltration after collecting and compressing sensitive information. Threat detection should focus on unusual process paths, suspicious DLL loading, credential access activity, and abnormal network connections from trusted Windows binaries.
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
Nginx Access | N/A | nginx:plus:kv |
/var/log/nginx/access.log |
Sysmon EventID 1 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 10 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 11 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 3 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 7 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 8 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Windows Event Log Security 4663 | xmlwineventlog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4688 | xmlwineventlog |
XmlWinEventLog:Security |
References
Source: GitHub | Version: 1