Winnti’s new UNAPIMON tool hides malware from security software

Winnti's new UNAPIMON tool hides malware from security software

April 2, 2024 at 06:01PM

The Chinese ‘Winnti’ hacking group used a new malware, UNAPIMON, to run malicious processes undetected. This group, active since 2012, targets various organizations and was linked to a cyberespionage attack named ‘Earth Freybug.’ UNAPIMON uses DLL side-loading and unhooking API functions to evade detection, showcasing innovative and sophisticated tactics by the group.

Key takeaways from the meeting notes:

1. The Chinese hacking group “Winnti” has been using a previously undocumented malware called UNAPIMON to facilitate undetected malicious processes.
2. Winnti, also known as APT41, is an experienced and prolific cyberespionage threat group believed to be a Chinese state-sponsored actor. They have targeted a wide range of organizations, including governments, hardware vendors, software developers, think tanks, telecommunication service providers, and educational institutes.
3. A new report by Trend Micro provides insights into the UNAPIMON malware and attributes a cyberespionage attack to a cluster they named ‘Earth Freybug.’
4. The UNAPIMON attack involves injecting a malicious process into the legitimate VMware Tools process and using DLL side-loading to inject UNAPIMON into a cmd.exe process.
5. UNAPIMON uses Microsoft Detours for hooking the CreateProcessW API function, allowing it to evade detection by unhooking critical API functions in child processes.
6. The malware’s evasion mechanism involves manipulating process creation calls, creating and loading local copies of specific DLLs, comparing copied DLLs against originals to identify security software hooks, and unloading temporary DLL copies to allow undetectable execution.
7. UNAPIMON’s simplicity, originality, and use of existing technologies such as Microsoft Detours demonstrate the coding prowess and creativity of the malware writer. The use of Microsoft Detours for unhooking could help evade behavioral detections.
8. The Winnti hackers are known for their innovative evasion techniques, including abusing Windows print processors and splitting Cobalt Strike beacons into small pieces to evade detection.

These takeaways provide a clear understanding of the UNAPIMON malware, its features, and the advanced evasion techniques employed by the Winnti hacking group.

Full Article