Chinese Hackers Deploy UNAPIMON Malware

"Earth Freybug is a cyberthreat group that focuses on espionage and financially motivated activities," Trend Micro security analyst Christopher So stated in a report released today. The group has been active since at least 2012.

"It has been observed to target organisations from various sectors across different countries."

According to the cybersecurity company, Earth Freybug is a component of APT41, a China-affiliated cyber espionage organisation that is also being monitored under the names Axiom, Brass Typhoon (formerly known as Barium), Bronze Atlas, HOODOO, Wicked Panda, and Winnti.
To achieve its objectives, the hostile group is reported to rely on a mix of bespoke malware and living-off-the-land binaries (LOLBins). Techniques like application programming interface (API) unhooking and dynamic-link library (DLL) hijacking are also used.

According to Trend Micro, the activity has tactical similarities with a cluster that cybersecurity firm Cybereason previously revealed under the moniker Operation CuckooBees. Operation CuckooBees is a campaign of intellectual property theft that targets manufacturing and technology companies in North America, Western Europe, and East Asia.

Using a valid VMware Tools executable ("vmtoolsd.exe") to set up a scheduled task with "schtasks.exe" and launch a programme called "cc.bat" on the remote computer is the first step in the attack chain.
UNAPIMON is a straightforward C++-based virus that uses an open-source Microsoft library called Detours to unhook crucial API functions. This allows it to avoid detection in sandbox situations where hooking is used for API monitoring.

The purpose of the batch script is to gather system data and start a second scheduled task on the compromised host. This second task then starts another batch file called "cc.bat" and eventually launches the UNAPIMON virus.

This opens the door for TSMSISrv.DLL to run, which is in charge of dropping UNAPIMON and injecting the same DLL into cmd.exe, among other DLL files. In order to evade defence, the DLL file is also simultaneously injected into SessionEnv.

Source: The Hacker News