China-linked Hackers Deploy New 'UNAPIMON' Malware for Stealthy Operations

The Earth Freybug cyberthreat group, part of APT41, has been using a new malware named UNAPIMON for covert operations. This group, active since 2012, engages in espionage and financially motivated activities, targeting organizations worldwide. They use a mix of living-off-the-land binaries and custom malware, along with tactics like DLL hijacking and API unhooking. Trend Micro noted similarities between Earth Freybug’s tactics and a previously disclosed campaign called Operation CuckooBees, which focused on intellectual property theft in technology and manufacturing sectors across Asia, Europe, and North America.

The connection between Earth Freybug and APT41, also known by aliases such as Axiom, Brass Typhoon (formerly Barium), Bronze Atlas, HOODOO, Wicked Panda, and Winnti, underscores the group's ties to sophisticated cyber espionage operations. The attack chain initiated by Earth Freybug typically begins with the exploitation of a legitimate executable associated with VMware Tools, specifically "vmtoolsd[.]exe." This executable is leveraged to create a scheduled task using "schtasks.exe" and deploy a batch file named "cc[.]bat" on the target machine. The "cc[.]bat" batch script is designed to gather system information and initiate a second scheduled task that executes another batch file with the same name. This secondary batch file facilitates the execution of the UNAPIMON malware.

Security Officer Comments:
UNAPIMON, characterized as a simple yet effective C++-based malware, employs techniques to prevent its child processes from being monitored, particularly in sandbox environments that rely on API monitoring through hooking. It achieves this evasion by utilizing the Detours library, an open-source Microsoft library, to unhook critical API functions. The deployment of UNAPIMON allows Earth Freybug to establish a backdoor into compromised systems, granting them unauthorized access and control. This backdoor functionality, coupled with sophisticated evasion techniques, poses a significant challenge for cybersecurity professionals tasked with detecting and mitigating such threats.

Suggested Corrections:
In this specific Earth Freybug attack, the threat actor used administrator accounts, which means that the threat actors knew the admin credentials, rendering group policies useless. The only way to prevent this from happening in an environment is good housekeeping, which involves frequent password rotation, limiting access to admin accounts to actual admins, and activity logging.

In this incident, data exfiltration was done using a third-party collaborative software platform over which we do not have control. Even if the write permissions were revoked for affected folders that could be accessed through the collaborative software, the threat actor could just simply override it, since the threat actor is the admin from the system’s point of view.

Users should restrict admin privileges and follow the principle of least privilege. The fewer people with admin privileges, the fewer loopholes in the system malicious actors can take advantage of.