Earth Freybug Uses UNAPIMON for Unhooking Critical APIs
First cc.bat for reconnaissance
Once the scheduled task is triggered, a previously deployed batch file, %System%cc.bat, is executed in the remote machine. Based on our telemetry, this batch file launches commands to gather system information. Among the commands executed are:
- powershell.exe -command “Get-NetAdapter |select InterfaceGuid”
- arp -a
- ipconfig /all
- fsutil fsinfo drives
- query user
- net localgroup administrators
- systeminfo
- whoami
- netstat -anb -p tcp
- net start
- tasklist /v
- net session
- net share
- net accounts
- net use
- net user
- net view
- net view /domain
- net time \127.0.0.1
- net localgroup administrators /domain
- wmic nic get “guid”
The system information gathered via these commands is gathered in a text file called %System%res.txt.
Once this is done, another scheduled task is set up to execute %Windows%Installercc.bat in the target machine, which launches a backdoor.
Second cc.bat hijacking for DLL side-loading
The second cc.bat is notable for leveraging a service that loads a nonexistent library to side-load a malicious DLL. In this case, the service is SessionEnv. A detailed technical description of how this technique works can be found here. In this technique, this second cc.bat first copies a previously dropped %Windows%Installerhdr.bin to %System%TSMSISrv.DLL. It then stops the SessionEnv service, waits for a few seconds, then restarts the service. This will make the service load and execute the file %System%TSMSISrv.DLL.
Two actions of interest done by TSMSISrv.DLL are dropping and loading a file named Windows%_{5 to 9 random alphabetic characters}.dll and starting a cmd.exe process in which the same dropped DLL is also injected. Based on telemetry data, we noticed that this instance of cmd.exe is used to execute commands coming from another machine, thus turning it into a backdoor. We dubbed the dropped DLL loaded in both the service and cmd.exe as UNAPIMON.
Introducing UNAPIMON for defense evasion
An interesting thing that we observed in this attack is the use of a peculiar malware that we named UNAPIMON. In its essence, UNAPIMON employs defense evasion techniques to prevent child processes from being monitored, which we detail in the succeeding sections.
Malware analysis
UNAPIMON itself is straightforward: It is a DLL malware written in C++ and is neither packed nor obfuscated; it is not encrypted save for a single string.
At the DllMain function, it first checks whether it is being loaded or unloaded. When the DLL is being loaded, it creates an event object for synchronization, and starts the hooking thread.
As shown in Figure 3, the hooking thread first obtains the address of the function CreateProcessW from kernel32.dll, which it saves for later use. CreateProcessW is one of the Windows API functions that can be used to create a process. It then installs a hook on it using Microsoft Detours, an open-source software package developed by Microsoft for monitoring and instrumenting API calls on Windows.