Article Details

Winnti's new UNAPIMON tool hides malware from security software. The Chinese 'Winnti' hacking group was found using a previously undocumented malware called UNAPIMON to let malicous processes run without being detected. Winnti, also known as APT41, is one of the oldest (active since 2012) and most sophisticated and prolific cyberespionage threat groups, believed to be a Chinese state-sponsored actor. Previously, they have targeted a broad spectrum of organizations, including governments, hardware vendors, software developers, think tanks, telecommunication service providers, and educational institutes. A new report by Trend Micro delves into a previously unseen custom malware used in an operation they have been monitoring closely, attributing the cyberespionage attack to a cluster they named 'Earth Freybug.' UNAPIMON attacks The attack begins with a malicious process injected into the legitimate VMware Tools vmtoolsd.exe process, which executes a remote scheduled task to run a batch file that collects system information, including network configurations and user details. Next, a second batch file (cc.bat) leverages DLL side-loading (TSMSISrv.dll) involving the SessionEnv service to load UNAPIMON in memory, injecting it into a cmd.exe process. UNAPIMON is a C++ malware delivered in DLL form (_{random}.dll), which uses Microsoft Detours for hooking the CreateProcessW API function, allowing it to unhook critical API functions in child processes. Because many security tools employ API hooking to track malicious activity, UNAPIMON's mechanism allows it to unhook those APIs from a malicious child process to evade detection. According to Trend Micro's analysis, the evasion mechanism works in distinct steps, as listed below: Trend Micro explains that most malware employs hooking to intercept calls, capture sensitive data, and alter software behavior. Hence, UNAPIMON's approach to unhooking for evasion is an unusual technique. "A unique and notable feature of this malware is its simplicity and originality," concluded Trend Micro. "Its use of existing technologies, such as Microsoft Detours, shows that any simple and off-the-shelf library can be used maliciously if used creatively. This also displayed the coding prowess and creativity of the malware writer." "In typical scenarios, it is the malware that does the hooking. However, it is the opposite in this case." Furthermore, using the legitimate Microsoft Detours debugging tool to perform the unhooking could allow it to evade behavioral detections compared to using an unknown custom routine. The Winnti hackers are known for their novel methods of evading detection when conducting attacks. In 2020, the hackers were observed abusing Windows print processors to hide a backdoor and remain persistent. In 2022, the hackers split Cobalt Strike beacons into 154 small pieces to evade detection, only reconstructing them into an executable when they were ready to be launched.