A prolific Chinese cyberespionage group known in the security industry as APT41 was recently seen deploying a new backdoor program called UNAPIMON that uses a sophisticated technique to prevent its child processes from being monitored by security products.
“Looking at the behavior of UNAPIMON and how it was used in the attack, we can infer that its primary purpose is to unhook critical API functions in any child process,” researchers from security firm Trend Micro said in a report. “For environments that implement API monitoring through hooking such as sandboxing systems, UNAPIMON will prevent child processes from being monitored. Thus, this malware can allow any malicious child process to be executed with its behavior undetected.”
The malware, which is part of a larger attack chain that also involves the use of DLL hijacking and abuse of VMware Tools, was used in a campaign that targeted organizations from multiple countries and different industry sectors.
What is the advanced persistent threat group APT41?
Trend Micro attributes the cyberespionage campaign to a threat actor it tracks as Earth Freybug, which is a subgroup of APT41, a state-sponsored Chinese group that has been engaged in both cyberespionage and cybercrime operations since at least 2012. Five Chinese nationals who are suspected members of APT41 were indicted in the United States in 2019 and 2020 and are currently on the FBI’s most wanted list.
APT41 is an advanced persistent threat (APT) also known under other aliases in the security industry including Axiom, Barium, Wicked Panda, Wicked Spider and Winnti, even though the latter is actually the name of one of its custom backdoor programs that has been used in many attacks over the years. The group is known as highly sophisticated and innovative being responsible for some of the first software supply chain compromises that resulted in poisoned software updates.
The latest attack chain involving APT41
In the incidents investigated by Trend Micro, researchers observed malicious code injected into the vmtoolsd.exe process — part of the legitimate VMware Tools package — call schtasks.exe (the Windows Task Scheduler Configuration Tool) to create rogue scheduled tasks on remote systems.
VMware Tools is a component installed in VMware-based virtual machines in order to communicate with the host system and enable file and clipboard operations as well as shared folders and drivers. “Although the origin of the malicious code in vmtoolsd.exe in this incident is unknown, there have been documented infections wherein vulnerabilities in legitimate applications were exploited via vulnerable external-facing servers,” the Trend Micro researchers said.
One of the created scheduled tasks executes a batch program called cc.bat that contains a series of commands to gather information about the system including its name, local IP address, running processes, available accounts including administrators, the domain it’s part of and much more. The information is gathered through Windows command-line utilities and the output is saved to a text file.
The program then executes a second scheduled tasks that launches another file batch program called cc.bat that’s different from the first one. This second program copies a previously dropped file called hdr.bin to %System%TSMSISrv.DLL and then restarts the SessionEnv Windows service.
How UNAPIMON is using DLL hijacking
This technique is known as DLL hijacking because the SessionEnv service automatically looks for the library called TSMSISrv.DLL to load it when it starts. The attackers take advantage of this by planting their own malicious DLL file with that name, the advantage being that their malicious code is now loaded into memory by a legitimate process and service, potentially evading some behavioral detections by security products.
The malicious code from TSMSISrv.DLL drops another randomly named DLL file and injects it into a new instance of cmd.exe, the Windows command-line shell. This new cmd.exe process then listens for commands received from a remote machine and executes them, essentially acting as a backdoor.
However, the DLL file injected into it is the one that stands out because it’s meant to hide the behavior of child processes by using an unusual technique that the Trend Micro researchers describe as application programming interface (API) unhooking.
Essentially, a process will perform various actions on a system by calling functions in the Windows API and some of these API calls are monitored by security products in order to detect potential suspicious behavior from new processes.
“A unique and notable feature of this malware is its simplicity and originality,” the researchers said. “Its use of existing technologies, such as Microsoft Detours, shows that any simple and off-the-shelf library can be used maliciously if used creatively. This also displayed the coding prowess and creativity of the malware writer. In typical scenarios, it is the malware that does the hooking. However, it is the opposite in this case.”
The researchers note that this attack chain is only possible if attackers have access to an account with administrative privileges, which is why they strongly recommend that organizations limit the number of admin accounts, rotate passwords periodically and follow the principle of least privilege.