Trend Micro has released a report detailing the use of a new Malicious Unapimon by the Chinese group Winnti (Apt41). This new malware allows hackers to evade detection systems and operate unnoticed. Winnti has been carrying out cyber espionage campaigns since 2012, targeting various organizations globally, including government entities, equipment suppliers, and software developers. Trend Micro has linked the recently detected cyber espionage campaign to a cluster known as “Earth Freybug”.
According to Trend Micro, the campaigns employing Unapimon exhibit a high level of sophistication in their techniques. The attack initiates by injecting the malware into the legitimate process of VMToolsd.exe from VMware Tools, which then executes a scheduled task for launching a package file to collect system information such as network configurations and user data.
The attackers employ a method known as side loading DLL (DLL Sideloading) to download Unapimon into memory and inject it into “CMD.exe”. Unapimon, a malicious C++ program delivered as a DLL, utilizes Microsoft evasion techniques to intercept the Createprocessw API, enabling the program to disable crucial API functions in child processes.
One notable feature of Unapimon is its capability to bypass API interception mechanisms that track malicious activity, rendering it invisible to many security measures. This is achieved through altering the process of creating, searching, and replacing DLL calls, as well as deleting temporary DLL copies to resume primary execution flow undetected.
Trend Micro underscores that the utilization of Unapimon showcases a novel and creative approach to developing malicious software, illustrating how basic and accessible technologies can be leveraged for nefarious purposes. For instance, the hackers use an official debugging tool, specifically Microsoft Detours, to create tools for debugging, tracing, profiling, or monitoring applications, as well as for logging functions or intercepting system calls.