Taiwan, Malaysia, Thailand, the Philippines, and Brazil had their government, telecommunications, IT service, manufacturing, logistics, and retail industries primarily targeted by China-nexus threat operation Earth Alux in cyberespionage attacks deploying the VARGEIT and COBEACON, or Cobalt Strike Beacon, payloads, reports The Hacker News.
Earth Alux begins its multi-stage intrusions by compromising internet-exposed web apps with the Godzilla web shell, which then facilitates the delivery of VARGEIT and COBEACON, an analysis from Trend Micro showed. While COBEACON was mainly used as a first-stage backdoor, VARGEIT has been leveraged in various stages, allowing the distribution of the RAILLOAD and RAILSETTER payloads for encrypted payload execution and persistence, respectively. Aside from performing numerous tests involving the RAILLOAD and RAILSETTER tools, Earth Alux has also been exploiting the VirTest tool to ensure long-term systems access. "The group's ongoing testing and development of its tools further indicate a commitment to refining its capabilities and evading detection," said Trend Micro researchers.
