Infosec Watchtower Logo

Unveiling Earth Freybug: The Stealthy Cyber Threat Employing UNAPIMON Malware to Elude Detection

Charles M. Walls | April 2, 2024 | Views: 484

A digital landscape representing a cyber espionage scene. In the forefront, a sleek, shadowy figure.

A new cyber threat known as Earth Freybug, identified by the cybersecurity experts at Trend Micro, is using an innovative malware, dubbed UNAPIMON, to evade detection with its sophisticated techniques. Earth Freybug, operational since 2012, is notorious for its espionage efforts and financially driven attacks, targeting a wide range of sectors across the globe, according to Trend Micro's security researcher, Christopher So.

The group is a part of a larger, China-affiliated espionage collective called APT41, which goes by several aliases including Axiom, Brass Typhoon (previously Barium), Bronze Atlas, HOODOO, Wicked Panda, and Winnti. Their strategy involves a clever mix of leveraging built-in software tools (often referred to as LOLBins) and custom-created malicious software to achieve their objectives, further incorporating methods like DLL hijacking and API unhooking for stealth operations.

This threat actor's methods have been linked to a previously exposed operation by Cybereason, termed Operation CuckooBees, which focused on stealing intellectual property from tech and manufacturing companies in East Asia, Western Europe, and North America.

The initiation of Earth Freybug's attack sequence involves manipulating a legitimate VMware Tools executable ("vmtoolsd.exe") to set up a scheduled task with "schtasks.exe" and deploy a specific batch file ("cc.bat") onto the target system. The precise method of how the malicious code is introduced into vmtoolsd.exe remains unclear, though it's suspected to involve exploiting vulnerabilities in externally accessible servers.

The batch file's primary function is to gather system data and trigger another scheduled task that executes a similarly named batch file ("cc.bat"), which in turn activates the UNAPIMON malware. This intricate process includes using a service to load a malicious DLL by exploiting a non-existent library, a tactic outlined by So.

The malware, UNAPIMON, is then injected into critical system processes for evading detection, alongside commandeering the Windows command interpreter to accept commands remotely, essentially transforming it into a covert backdoor.

Crafted in C++, UNAPIMON showcases the attacker's technical skill and innovative use of existing libraries to sidestep traditional security measures that monitor API calls, making it particularly hard to detect in controlled testing environments.

Trend Micro highlights the evolving nature of Earth Freybug's tactics, emphasizing that even straightforward methods, when expertly applied, can significantly enhance the stealth and efficacy of cyber attacks. This recent campaign underlines the continuous innovation within cybercriminal circles and the importance of vigilance in cybersecurity practices.

Source of Inspiration