A threat activity cluster tracked as Earth Freybug has been observed using a new malware called UNAPIMON to fly under the radar.
“Earth Freybug is a cyberthreat group that has been active since at least 2012 that focuses on espionage and financially motivated activities,” Trend Micro security researcher Christopher So said in a report published today.
“It has been observed to target organizations from various sectors across different countries.”
The cybersecurity firm has described Earth Freybug as a subset within APT41, a China-linked cyber espionage group that’s also tracked as Axiom, Brass Typhoon (formerly Barium), Bronze Atlas, HOODOO, Wicked Panda, and Winnti.
The adversarial collective is known to rely on a combination of living-off-the-land binaries (LOLBins) and custom malware to realize its goals. Also adopted are techniques like dynamic-link library (DLL) hijacking and application programming interface (API) unhooking.
Trend Micro said the activity shares tactical overlaps with a cluster previously disclosed by cybersecurity company Cybereason under the name Operation CuckooBees, which refers to an intellectual property theft campaign targeting technology and manufacturing companies located in East Asia, Western Europe, and North America.
The starting point of the attack chain is the use of a legitimate executable associated with VMware Tools (“vmtoolsd.exe”) to create a scheduled task using “schtasks.exe” and deploy a file named “cc.bat” in the remote machine.
It’s currently not known how the malicious code came to be injected in vmtoolsd.exe, although it’s suspected that it may have involved the exploitation of external-facing servers.
The batch script is designed to amass system information and launch a second scheduled task on the infected host, which, in turn, executes another batch file with the same name (“cc.bat”) to ultimately run the UNAPIMON malware.
“The second cc.bat is notable for leveraging a service that loads a non-existent library to side-load a malicious DLL,” So explained. “In this case, the service is SessionEnv.”
This paves the way for the execution of TSMSISrv.DLL that’s responsible for dropping another DLL file (i.e., UNAPIMON) and injecting that same DLL into cmd.exe. Simultaneously, the DLL file is also injected into SessionEnv for defense evasion.
On top of that, the Windows command interpreter is designed to execute commands coming from another machine, essentially turning it into a backdoor.
A simple C++-based malware, UNAPIMON is equipped to prevent child processes from being monitored by leveraging an open-source Microsoft library called Detours to unhook critical API functions, thereby evading detection in sandbox environments that implement API monitoring through hooking.
The cybersecurity company characterized the malware as original, calling out the author’s “coding prowess and creativity” as well as their use of an off-the-shelf library to carry out malicious actions.
“Earth Freybug has been around for quite some time, and their methods have been seen to evolve through time,” Trend Micro said.
“This attack also demonstrates that even simple techniques can be used effectively when applied correctly. Implementing these techniques to an existing attack pattern makes the attack more difficult to discover.”