Cyberthreat operation Earth Freybug, which is a subset of Chinese state-sponsored threat group APT41, has leveraged the novel UNAPIMON malware with API unhooking to facilitate stealthier intrusions against organizations from different industries around the world, The Hacker News reports.
Attacks commence with the delivery of a weaponized legitimate VMware Tools-related executable that would facilitate scheduled task creation and batch file distribution, which would allow system data exfiltration and batch file execution to enable UNAPIMON, a report from Trend Micro revealed. UNAPIMON was noted to use the Detours library for critical API function unhooking and bypassing detection.
"Earth Freybug has been around for quite some time, and their methods have been seen to evolve through time… This attack also demonstrates that even simple techniques can be used effectively when applied correctly. Implementing these techniques to an existing attack pattern makes the attack more difficult to discover," said Trend Micro.
