Earth Freybug Threat Actor Deploys New Unapimon Malware

The malware leverages DLL hijacking and API unhooking to target multiple industries globally.
Malware

Context

On April 2, 2024, Trend Micro researchers reported new technical details of a “Unapimon” malware campaign attributed to Earth Freybug, which leverages “dynamic-link library (DLL) hijacking and application programming interface (API) unhooking to prevent child processes from being monitored.”

According to Trend Micro, “UNAPIMON itself is straightforward: It is a DLL malware written in C++ and is neither packed nor obfuscated; it is not encrypted save for a single string.”

Community Impact Assessment

Trend Micro assesses that Earth Freybug is a subset of the threat group known as APT41, a prominent Chinese cyber espionage group. APT41 is known to target healthcare, telecom, technology, and video game organizations in multiple companies. However, Trend Micro did not identify specific industry targets of this campaign.

Based on the potential connection to APT41 and the sophistication and adaptability of Earth Freybug tactics, techniques, and procedures (TTPs), the RH-ISAC intelligence team assesses with moderate confidence that Earth Freybug presents a medium level threat to Core Member organizations. All members are advised to maintain situational awareness around the group and to review the mitigations, indicators of compromise (IOCs), and TTPs included here.

Mitigation Recommendations

Trend Micro provided the following security recommendations:

  • Frequent password rotation.
  • Limiting access to admin accounts to actual admins.
  • Implementing robust activity logging.
  • Restricting admin privileges.
  • Following the principle of least privilege.

IOCs

Trend Micro provided the following IOCs:

Hash

Detection name

62ad0407a9cce34afb428dee972292d2aa23c78cbc1a44627cb2e8b945195bc2

Trojan[.]Win64[.]UNAPIMON[.]ZTLB

TTPs

Trend Micro noted that the TTPs in the current campaign matched those used in the Operation CuckooBees campaign widely attributed to Winnti (an alias for APT41):

Reconnaissance

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Gather Victim Identity Information: Credentials

Exploit Public-Facing Application

Scheduled Task/Job

Server Software Component: Web Shell

Create or Modify System Process: Windows Service

Hijack Execution Flow: DLL Side-Loading

Gather Victim Network Information

Supply Chain Compromise

Inter-process communication

 

Hijack Execution Flow: DLL Side-Loading

Rootkit

 

 

Exploitation for Client Execution

 

Process Injection: Dynamic-link Library Injection

Masquerading: Match Legitimate Name or Location

 

 

Command and Scripting Interpreter: Windows Command Shell

Scheduled Task/Job: Scheduled Task

Scheduled Task/Job: Scheduled Task

Process Injection: Dynamic-link Library Injection

 

 

Command and Scripting Interpreter: Visual Basic

Valid Accounts: Domain Accounts

Valid Accounts: Domain Accounts

Reflective Code Loading

 

 

Native API

Valid Accounts: Local Accounts

Valid Accounts: Local Accounts

Signed Binary Proxy Execution: Rundll32

 

 

 

 

 

Valid Accounts: Domain Accounts

 

 

 

 

 

Valid Accounts: Local Accounts

Credential Access

Discovery

Lateral movement

Collection

Exfiltration

Command and Control

OS Credential Dumping

System Network Configuration Discovery

Exploitation of Remote Services

Archive Collected Data: Archive via Utility

Automated Exfiltration

Application Layer Protocol: Web Protocols

 

Remote System Discovery

Remote Services: Remote Desktop Protocol

Automated Collection

 

Proxy

 

Password Policy Discovery

 

 

 

 

 

Permission Groups Discovery

 

 

 

 

 

Network Share Discovery

 

 

 

 

 

System Service Discovery

 

 

 

 

 

System Time Discovery

 

 

 

 

 

System Network Connections Discovery

 

 

 

 

 

Account Discovery

 

 

 

 

 

System Owner/User Discovery

 

 

 

 

 

System Information Discovery

 

 

 

 

 

Process Discovery

 

 

 

 

More Recent Blog Posts