Threat activity clusters tracked as Earth Freyworm A new piece of malware called UNAPIMON has been observed flying under the radar.
“Earth Freybug is a cyber threat group that has been active since at least 2012 and focuses on espionage and financially motivated activities,” Trend Micro security researcher Christopher So said in a report released today.
“It has been observed that it targets organizations from different sectors in different countries.”
The cybersecurity firm describes Earth Freybug as a subset of APT41, a China-linked cyber espionage group also tracked as Axiom, Brass Typhoon (formerly Barium), Bronze Atlas, HOODOO, Wicked Panda and Winnti.
The adversary group is known to rely on a combination of standalone binaries (LOLBins) and custom malware to achieve its goals. Techniques such as dynamic link library (DLL) hijacking and application programming interface (API) dehooking are also used.
Trend Micro said the campaign overlaps in tactics with a cluster previously disclosed by cybersecurity firm Cybereason called “Operation CuckooBees,” which refers to technology and manufacturing companies in East Asia, Western Europe, and North America. of intellectual property theft.
The starting point of the attack chain is to use a legitimate executable file associated with VMware Tools (“vmtoolsd.exe”), use “schtasks.exe” to create a scheduled task, and deploy a file named “cc.bat” on the remote computer.
It is unclear how the malicious code was injected into vmtoolsd.exe, although it is suspected that it may involve the exploitation of external-facing servers.
This batch script is designed to collect system information and launch a second scheduled task on the infected host, which in turn executes another batch file with the same name (“cc.bat”) to ultimately execute the UNAPIMON malware.
“The second cc.bat is noteworthy in that it uses a service that loads a non-existent library to sideload a malicious DLL,” So explained. “In this case, the service is SessionEnv.”
This paves the way for the execution of TSMSISrv.DLL, which is responsible for deleting another DLL archive (namely UNAPIMON) and injecting the same DLL into cmd.exe. At the same time, the DLL file is also injected into SessionEnv for defense evasion.
On top of that, the Windows command interpreter is designed to execute commands from another computer, essentially turning it into a backdoor.
UNAPIMON is a simple C++-based malware that utilizes an open source Microsoft library called Detours to unhook key API functions, thereby preventing child processes from being monitored, thereby evading sandbox environments that implement API monitoring through hooks. detection.
The cybersecurity firm characterized the malware as original, praising the authors’ “coding skills and creativity” and their use of off-the-shelf libraries to perform malicious operations.
“Earth Freybug has been around for quite some time, and their methods have evolved over time,” Trend Micro said.
“This attack also shows that even simple techniques can be used effectively if applied correctly. Applying these techniques to existing attack patterns can make attacks more difficult to detect.”
