China-linked Hackers Deploy New ‘UNAPIMON’ Malware for Stealthy Operations

Apr 02, 2024NewsroomCyber Espionage / Menace Intelligence

A risk exercise cluster tracked as Earth Freybug has been noticed utilizing a brand new malware known as UNAPIMON to fly below the radar.

“Earth Freybug is a cyberthreat group that has been active since at least 2012 that focuses on espionage and financially motivated activities,” Development Micro safety researcher Christopher So said in a report revealed right this moment.

“It has been observed to target organizations from various sectors across different countries.”

The cybersecurity agency has described Earth Freybug as a subset inside APT41a China-linked cyber espionage group that is additionally tracked as Axiom, Brass Storm (previously Barium), Bronze Atlas, HOODOO, Depraved Panda, and Winnti.


The adversarial collective is understood to depend on a mix of living-off-the-land binaries (LOLBins) and customized malware to understand its targets. Additionally adopted are strategies like dynamic-link library (DLL) hijacking and utility programming interface (API) unhooking.

Development Micro mentioned the exercise shares tactical overlaps with a cluster beforehand disclosed by cybersecurity firm Cybereason below the identify Operation CuckooBeeswhich refers to an mental property theft marketing campaign concentrating on expertise and manufacturing firms situated in East Asia, Western Europe, and North America.

The place to begin of the assault chain is using a authentic executable related to VMware Instruments (“vmtoolsd.exe”) to create a scheduled process utilizing “schtasks.exe” and deploy a file named “cc.bat” within the distant machine.

It is at the moment not recognized how the malicious code got here to be injected in vmtoolsd.exe, though it is suspected that it could have concerned the exploitation of external-facing servers.

Chinese Malware

The batch script is designed to amass system info and launch a second scheduled process on the contaminated host, which, in flip, executes one other batch file with the identical identify (“cc.bat”) to finally run the UNAPIMON malware.

“The second cc.bat is notable for leveraging a service that loads a non-existent library to side-load a malicious DLL,” So defined. “On this case, the service is SessionEnv.”

This paves the way in which for the execution of TSMSISrv.DLL that is accountable for dropping one other DLL file (i.e., UNAPIMON) and injecting that very same DLL into cmd.exe. Concurrently, the DLL file can be injected into SessionEnv for protection evasion.

On high of that, the Home windows command interpreter is designed to execute instructions coming from one other machine, basically turning it right into a backdoor.


A easy C++-based malware, UNAPIMON is supplied to forestall little one processes from being monitored by leveraging an open-source Microsoft library known as Detours to unhook vital API capabilities, thereby evading detection in sandbox environments that implement API monitoring by hooking.

The cybersecurity firm characterised the malware as unique, calling out the writer’s “coding prowess and creativity” in addition to their use of an off-the-shelf library to hold out malicious actions.

“Earth Freybug has been around for quite some time, and their methods have been seen to evolve through time,” Development Micro mentioned.

“This attack also demonstrates that even simple techniques can be used effectively when applied correctly. Implementing these techniques to an existing attack pattern makes the attack more difficult to discover.”

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.

Author: (The Hacker Information)
Date: 2024-04-02 07:00:00

Source link



Related articles

Alina A, Toronto
Alina A, Toronto
Alina A, an UofT graduate & Google Certified Cyber Security analyst, currently based in Toronto, Canada. She is passionate for Research and to write about Cyber-security related issues, trends and concerns in an emerging digital world.


Please enter your comment!
Please enter your name here