Winnti's new UNAPIMON tool hides malware from security software

The Chinese 'Winnti' hacking group was found using a previously undocumented malware called UNAPIMON to let malicous processes run without being detected.

Winnti, also known as APT41, is one of the oldest (active since 2012) and most sophisticated and prolific cyberespionage threat groups, believed to be a Chinese state-sponsored actor.

Previously, they have targeted a broad spectrum of organizations, including governments, hardware vendors, software developers, think tanks, telecommunication service providers, and educational institutes.

A new report by Trend Micro delves into a previously unseen custom malware used in an operation they have been monitoring closely, attributing the cyberespionage attack to a cluster they named 'Earth Freybug.'

UNAPIMON attacks

The attack begins with a malicious process injected into the legitimate VMware Tools vmtoolsd.exe process, which executes a remote scheduled task to run a batch file that collects system information, including network configurations and user details.

Next, a second batch file (cc.bat) leverages DLL side-loading (TSMSISrv.dll) involving the SessionEnv service to load UNAPIMON in memory, injecting it into a cmd.exe process.

UNAPIMON is a C++ malware delivered in DLL form (_{random}.dll), which uses Microsoft Detours for hooking the CreateProcessW API function, allowing it to unhook critical API functions in child processes.

Because many security tools employ API hooking to track malicious activity, UNAPIMON's mechanism allows it to unhook those APIs from a malicious child process to evade detection.

According to Trend Micro's analysis, the evasion mechanism works in distinct steps, as listed below:

Hooks into the 'CreateProcessW' API function using Microsoft Detours to intercept process creation calls. Modifies the process creation call to start the new process in a suspended state, allowing for manipulation before the process runs. Searches for specific DLLs in the suspended process, creates local copies in the %User Temp% directory, and loads these copies without resolving references to prevent errors. Compares the copied DLLs against the originals in the process, looking for modifications in exported addresses that indicate security software hooks. Copies original code over modified sections in the DLLs loaded in the process's memory, effectively removing hooks inserted by security tools. Unloads the temporary DLL copies and resumes the main thread of the child process, allowing undetectable execution.

Trend Micro explains that most malware employs hooking to intercept calls, capture sensitive data, and alter software behavior. Hence, UNAPIMON's approach to unhooking for evasion is an unusual technique.

"A unique and notable feature of this malware is its simplicity and originality," concluded Trend Micro.

"Its use of existing technologies, such as Microsoft Detours, shows that any simple and off-the-shelf library can be used maliciously if used creatively. This also displayed the coding prowess and creativity of the malware writer."

"In typical scenarios, it is the malware that does the hooking. However, it is the opposite in this case."

Furthermore, using the legitimate Microsoft Detours debugging tool to perform the unhooking could allow it to evade behavioral detections compared to using an unknown custom routine.

The Winnti hackers are known for their novel methods of evading detection when conducting attacks.

In 2020, the hackers were observed abusing Windows print processors to hide a backdoor and remain persistent. In 2022, the hackers split Cobalt Strike beacons into 154 small pieces to evade detection, only reconstructing them into an executable when they were ready to be launched.