Researchers have identified Earth Freybug, a threat actor linked to China, using a new malware tool to bypass mechanisms that organizations may have put in place to monitor Windows application programming interfaces (APIs) for malicious activity.
The malware, which Trend Micro researchers discovered and named UNAPIMON, works by disabling hooks in Windows APIs to inspect and scan API-related processes for security issues.
Unhook API
The goal is to prevent any malware-generated processes from being detected or inspected by antivirus tools, sandboxing products, and other threat detection mechanisms.
“By looking at the behavior of UNAPIMON and how it was used in the attack, we can infer that its primary purpose is to unhook critical API functions in any child process,” Trend Micro said in a report this week.
“For environments that implement API monitoring via hooking, such as sandboxing systems, UNAPIMON will prevent monitoring of subprocesses,” the security vendor said. This allows malicious programs to run undetected.
Trend Micro assessed Earth Freybug as a subset of APT41, a collective of Chinese threat groups variously named Winnti, Wicked Panda, Barium, and Suckfly. The group is known for using a collection of custom tools and so-called living-off-the-land binaries (LOLbins) that manipulate legitimate system binaries such as PowerShell and Windows Management Instrumentation (WMI).
APT41 itself has been active since at least 2012 and is linked to numerous cyber espionage campaigns, supply chain attacks and financial cybercrime. In 2022, Cybereason researchers identified the threat actor as steal large volumes of trade secrets and intellectual property by companies in the United States and Asia for years. Its victims include manufacturing and IT organizations, governmentsAND critical infrastructures targets in the United States, East Asia and Europe. In 2020, the U.S. gov accused five members believed to be associated with the group for their role in attacks against more than 100 organizations globally.
Attack chain
In the recent incident observed by Trend Micro, Earth Freybug actors used a multi-stage approach to deliver UNAPIMON on target systems. In the first phase, attackers inserted malicious code of unknown origin into vmstools.exe, a process associated with a set of utilities to facilitate communication between a guest virtual machine and the underlying host machine. The malicious code created a scheduled task on the host computer to execute a batch script file (cc.bat) on the host system.
The batch file’s job is to gather a set of system information and launch a second scheduled task to run a cc.bat file on the infected host. The second batch script file exploits SessionEnv, a Windows service for managing remote desktop services, to sideload a malicious dynamic link library (DLL) onto the infected host. “The second cc.bat is notable because it leverages a service that loads a non-existent library to sideload a malicious DLL. In this case, the service is SessionEnv,” Trend Micro said.
The malicious DLL then drops UNAPIMON on the Windows service for defense evasion purposes and also on a cmd.exe process that silently executes commands. “UNAPIMON itself is simple: it is a malware DLL written in C++ and is neither compressed nor obfuscated; it is not encrypted, except for a single string,” Trend Micro said. What makes it “peculiar” is its defense evasion technique which consists of unhooking APIs so that malicious malware processes remain invisible to threat detection tools. “In typical scenarios, the malware does the hook. However, in this case it’s the opposite,” Trend Micro said.