Earth Freybug (APT41) – Threat Actor

Earth Freybug
Other Names	Unknown
Location	China
Date of initial activity	2012
Suspected attribution	China
Associated Groups	APT41
Motivation	Cyber Espionage and financial gain
Associated tools	Earth Freybug actors use a diverse range of tools and techniques, including LOLBins and custom malware.
Active	Yes

Overview

Earth Freybug is a cyberthreat group that has been active since at least 2012 that focuses on espionage and financially motivated activities. It has been observed to target organizations from various sectors across different countries. Earth Freybug actors use a diverse range of tools and techniques, including LOLBins and custom malware. Cybersecurity firm Trend Micro believes Earth Freybug to be a subset within the well-known China-linked cyber espionage group APT41.

Common targets

It has been observed to target organizations from various sectors across different countries.

Attack Vectors

The latest tactic observed by Trend Micro involves the use of legitimate executables associated with VMware Tools to initiate the attack chain.

How they operate

Earth Freybug has been around for quite some time, and their methods have been seen to evolve through time. Earth Freybug has been using a combination of sophisticated tools and techniques, including living-off-the-land binaries (LOLBins) and custom malware. The threat actor is known for employing tactics such as DLL hijacking and API unhooking to achieve its objectives. Trend Micro has identified a new tactic where attackers exploit legitimate executables linked with VMware Tools to launch their attacks. They use “vmtoolsd.exe” to set up scheduled tasks and distribute malicious files, such as “cc.bat,” across remote machines. These files collect system data and trigger further malicious actions, culminating in the deployment of Unapimon malware. The source of the injected code into vmtoolsd.exe remains unclear but is suspected to involve the exploitation of outward-facing servers. Unapimon, a straightforward yet powerful C++-based malware, boasts sophisticated features aimed at circumventing detection methods. It employs a method to evade sandbox detection by preventing the monitoring of child processes, achieved through the Detours library. A key feature of Unapimon is its use of SessionEnv to load a malicious DLL, allowing the malware to infiltrate vital system processes undetected. Moreover, the malware establishes a backdoor by enabling the Windows command interpreter to execute commands remotely, providing attackers with remote access to compromised systems.