A threat activity cluster known as Earth Freybug has been observed employing a new malware variant named Unapimon, designed to prevent child processes from being monitored.

Earth Freybug, a threat group with a history dating back to at least 2012, specializes in espionage and financially motivated activities, targeting organizations worldwide across various sectors. Cybersecurity firm Trend Micro believes Earth Freybug to be a subset within the well-known China-linked cyber espionage group APT41.

Earth Freybug has been using a combination of sophisticated tools and techniques, including living-off-the-land binaries (LOLBins) and custom malware. The threat actor is known for employing tactics such as DLL hijacking and API unhooking to achieve its objectives.

The latest tactic observed by Trend Micro involves the use of legitimate executables associated with VMware Tools to initiate the attack chain. The attackers leverage “vmtoolsd.exe” to create scheduled tasks and deploy malicious files on remote machines. The deployed files, named “cc.bat,” are designed to gather system information and execute further malicious activities, ultimately leading to the deployment of the Unapimon malware.

The origins of the malicious code injected into vmtoolsd.exe remain unclear, although it is suspected to involve the exploitation of external-facing servers.

Described as a simple yet effective C++-based malware, Unapimon comes with advanced features focused on thwarting detection mechanisms. It utilizes a technique to prevent child processes from being monitored, thus evading detection in sandbox environments. The malware achieves this by leveraging the Detours library, a Microsoft open-source tool, to unhook critical API functions.

One notable aspect of Unapimon is its utilization of a service called SessionEnv to load a malicious DLL, enabling the malware to inject itself into critical system processes for defense evasion. Additionally, the malware establishes a backdoor by allowing the Windows command interpreter to execute commands from remote sources, granting attackers remote access to compromised systems.

“Looking at the behavior of Unapimon and how it was used in the attack, we can infer that its primary purpose is to unhook critical API functions in any child process. For environments that implement API monitoring through hooking such as sandboxing systems, UNAPIMON will prevent child processes from being monitored. Thus, this malware can allow any malicious child process to be executed with its behavior undetected,” the researchers said.

In March, Trend Micro detailed another China-linked cyberespionage campaign dubbed ‘Earth Krahang’ that has been targeting government entities across Southeast Asia, Europe, America, and Africa.