UNAPIMON (Dropped) – Malware

Overview

Described as a simple yet effective C++-based malware, Unapimon comes with advanced features focused on thwarting detection mechanisms. It utilizes a technique to prevent child processes from being monitored, thus evading detection in sandbox environments. The malware achieves this by leveraging the Detours library, a Microsoft open-source tool, to unhook critical API functions. One notable aspect of Unapimon is its utilization of a service called SessionEnv to load a malicious DLL, enabling the malware to inject itself into critical system processes for defense evasion. Additionally, the malware establishes a backdoor by allowing the Windows command interpreter to execute commands from remote sources, granting attackers remote access to compromised systems.

Techniques Used

UNAPIMON implements evasion tactics to evade monitoring of child processes, elaborated in subsequent sections. It operates as a straightforward DLL malware in C++, devoid of packing or obfuscation, except for a lone string encryption. During loading, it sets up event object synchronization and initiates the hooking thread within the DllMain function. The hooking thread locates the CreateProcessW function from kernel32.dll and installs a hook using Microsoft Detours. This redirection mechanism intercepts calls to CreateProcessW within the loaded process and directs them to the hook function. The hook then invokes the original CreateProcessW with a creation flag of CREATE_SUSPENDED to create a process with its main thread suspended. Subsequently, UNAPIMON duplicates DLL files loaded in the child process to %User Temp%_{5 to 9 random alphabetic characters}.dll, preventing loading errors using LoadLibraryEx with DONT_RESOLVE_DLL_REFERENCES parameter. It verifies the integrity of the copied DLLs against the original, ensuring identical checksums and export table contents. If modifications are detected, it removes them by copying the original code to the remote address. Once all DLL names are processed, UNAPIMON unpatches the exported addresses and unloads the local copies of DLLs, deleting them afterward. Upon unloading, it removes the hook from CreateProcessW, completing its operation. Tools UNAPIMON was noted to use the Detours library for critical API function unhooking and bypassing detection.

Impact

UNAPIMON’s behavior reveals its primary objective: to disable critical API functions within any child process. By thwarting API monitoring through hooking, common in sandboxing systems, UNAPIMON enables malicious child processes to operate undetected. This capability poses a significant risk as it allows malicious activities to occur within systems without triggering alarms or alerts. An intriguing aspect of UNAPIMON is its simplicity and ingenuity. Leveraging established tools like Microsoft Detours demonstrates how readily available resources can be repurposed for malicious intent when creatively applied. This underscores the sophistication and adaptability of modern malware authors, showcasing their ability to innovate within the confines of existing technologies. In a departure from conventional malware behavior, UNAPIMON’s approach to hooking presents a novel challenge for security professionals, highlighting the evolving tactics of threat actors in the cybersecurity landscape.

Significant Malware Campaigns

• Earth Freybug has been observed using a new malware called UNAPIMON to fly under the radar. (April 2024)

References:

• China-linked Hackers Deploy New ‘UNAPIMON’ Malware for Stealthy Operations
• Earth Freybug Uses UNAPIMON for Unhooking Critical APIs