Chinese-linked threat actor Earth Freybug deploys a new backdoor, UNAPIMON. Earth Freybug, a known subset of the hacking group named APT41 wanted by the FBI.
This malware features a wide range of tactics designed to evade security software and hide its activities.
How the Attack Works
- VMware Tools Abuse: Attackers target vulnerabilities in VMware Tools, a software package used in virtual machines. This enables them to inject malicious code and gain initial access.
- DLL Hijacking: Achieved by using a legitimate Windows service (SessionEnv) into loading their malicious code disguised as a necessary system file. Granting the same privileges as a trusted system process.
- API Unhooking: Security products monitor system activity by “hooking” into Windows Application Programming Interfaces (APIs). These APIs are essentially the building blocks for various system functions. By hooking into them, security software can observe suspicious process behavior. And the malware disrupts the monitoring by unhooking the API hooks placed by security software.
Source: Trend Micro Report