A cluster of threat activity tracked as Terrestrial Fregibug has been observed using a new malware called UNAPIMON to fly under the radar.
“Earth Freybug is a cyber threat group active since at least 2012 that focuses on espionage and financial-motivated activities,” said Christopher So, a security researcher at Trend Micro, in a report released today.
“It has been observed targeting organizations from various sectors in different countries.”
The cybersecurity firm described Earth Freybug as a subset within APT41, a China-linked cyber espionage group that is also tracked as Axiom, Brass Typhoon (formerly Bario), Bronze Atlas, HOODOO, Wicked Panda and Winnti.
The adversary collective is known to rely on a combination of living-off-the-land binaries (LOLBins) and custom malware to accomplish their goals. Techniques such as dynamic link library (DLL) hijacking and application programming interface (API) unhooking are also adopted.
Trend Micro said the activity shares tactical overlaps with a cluster previously disclosed by cybersecurity firm Cybereason under the name Operation CuckooBees, which refers to an intellectual property theft campaign targeting technology and manufacturing companies located in East Asia , Western Europe and North America.
The starting point of the attack chain is to use a legitimate executable associated with VMware Tools (“vmtoolsd.exe”) to create a scheduled task using “schtasks.exe” and deploy a file named “cc.bat” into the remote computer.
It is currently unknown how the malicious code was inserted into vmtoolsd.exe, although it is suspected that it may have involved the exploitation of externally facing servers.
The batch script is designed to accumulate system information and launch a second scheduled task on the infected host, which, in turn, runs another batch file of the same name (“cc.bat”) to ultimately execute the UNAPIMON malware.
“The second cc.bat is notable because it leverages a service that loads a non-existent library to sideload a malicious DLL,” So explained. “In this case, the service is SessionEnv.”
This paves the way for the execution of TSMSISrv.DLL which is responsible for deleting another DLL file (for example, UNAPIMON) and inserting the same DLL into cmd.exe. At the same time, the DLL file is also inserted into SessionEnv to evade the defense.
On top of that, the Windows command interpreter is designed to execute commands from another machine, essentially turning it into a backdoor.
A simple C++-based malware, UNAPIMON is equipped to prevent secondary process monitoring by leveraging an open source Microsoft library called Detours to unhook critical API functions, thus evading detection in sandbox environments that implement API monitoring via hooking.
The cybersecurity firm called the malware original, highlighting the author’s “coding skill and creativity” as well as the use of a standard library to perform malicious actions.
“Terran Freybugs have been around for quite some time, and their methods have evolved over time,” Trend Micro said.
“This attack also demonstrates that even the simplest techniques can be used effectively if applied correctly. Implementing these techniques into an existing attack model makes the attack more difficult to detect.”