Cybersecurity researchers at Trend Micro have discovered a brand new piece of malware that uses an unusual method to hide from antivirus programs.
The malware is called UNAPIMON and is apparently used by Winnti, an established Chinese state-sponsored threat actor that has been behind some of the most devastating attacks on governments, hardware and software vendors, think tanks, and more.
According to Trend Micro, many malware variants use a method known as API hooking to eavesdrop on calls, obtain sensitive data, and modify various software. Therefore, many security tools also use API hooking to track the malware.
Simplicity and originality
“Things are different with UNAPIMON. It uses Microsoft Detours to connect the CreateProcessW API function, allowing it to decouple critical API functions in child processes. As a result, it successfully evades antivirus detection.
A unique and striking feature of this malware is its simplicity and originality,” Trend Micro said in its report. “The use of existing technologies, such as Microsoft Detours, shows that any simple and off-the-shelf library can be used maliciously when used creatively. This also showed the malware writer’s coding skills and creativity.”
“In typical scenarios, it’s the malware that does the hooking. However, in this case it’s the opposite.”
Using Microsoft Detours also has other benefits in this regard, the researchers explained. Since this is a legitimate debugging tool, it even bypasses behavioral detection.
In his writing, BleepingComputer described Winnti hackers as “known for their novel methods of evading detection when carrying out attacks.”
In 2020, the group was spotted abusing Windows print processors to hide a piece of malware and stay on the target network. Two years later, they broke a Cobalt Strike beacon into more than a hundred pieces, rebuilding it only when they needed it.