HQ/EMEAFind out how we can help your business
The notorious Chinese hacking group Winnti employs an undisclosed malware named UNAPIMON to execute malicious activities that could bypass security software solutions.
This group, active for over a decade, is notorious for its sophisticated cyberespionage, targeting various organisations ranging from governments to educational institutes. Based on reports, the group uses this previously unseen custom malware in an operation labelled ‘Earth Freybug.’
UNAPIMON capitalises on legitimate VMware Tools to execute its process.
According to investigations, the UNAPIMON operators’ modus operandi involves initiating an attack by injecting a malicious process into the legitimate VMware Tools vmtoolsd.exe process.
This tactic initiates a remote scheduled task, executing a batch file for gathering crucial system information, including network configurations and user details. Subsequently, the attack uses a second batch file named cc[.]bat that can leverage DLL side-loading via the SessionEnv service to load UNAPIMON into memory, injecting it into a cmd.exe process.
UNAPIMON, delivered in DLL form, is a C++ malware that uses Microsoft Detours to attach the CreateProcessW API function. This strategy allows the malware to unhook critical API functions in child processes to evade detection by security tools that rely on API hooking to track malicious activities.
The evasion mechanism employed by UNAPIMON operates through several distinct steps. It begins by hooking into the ‘CreateProcessW’ API function and altering process creation calls to start the new process in a suspended state.
This method allows for manipulation before the process entirely runs. In addition, UNAPIMON searches for specific DLLs in the suspended process, generating local copies in the %User Temp% directory and loading them without resolving references to prevent errors.
Furthermore, this new tool compares these copied DLLs against the originals within the process, identifying modifications in exported addresses that signify security software hooks. It then replaces the modified sections in the loaded DLLs with the original code, eliminating hooks inserted by security tools.
It unloads the temporary DLL copies and resumes the main thread of the child process, ensuring undetectable execution.
Using legitimate tools like Microsoft Detours for unhooking enables UNAPIMON to acquire an advantage in evading behavioural detections compared to typical malware attacks. Winnti’s continuous innovation in evading detection shows its sophisticated skills in executing cyberespionage campaigns.
