Threat Research

Earth Freybug Uses UNAPIMON for Unhooking Critical APIs

TrendMicro

Earth Freybug leveraged DLL hijacking and a custom DLL called UNAPIMON to unhook critical API functions in child processes, preventing monitoring tools from observing malicious activity. The attack used scheduled tasks, service-based DLL side-loading, and CreateProcessW hooking/unhooking via Microsoft Detours to create suspended child processes, modify their DLL exports, and resume them stealthily. #UNAPIMON #EarthFreybug

Keypoints

  • Attackers executed remote scheduled tasks (schtasks.exe) to run reconnaissance and deploy backdoors via batch files (cc.bat).
  • The threat used DLL side-loading by copying a malicious DLL to %System%TSMSISrv.DLL and restarting the SessionEnv service to force loading.
  • UNAPIMON is a C++ DLL that hooks CreateProcessW (using Microsoft Detours), creating child processes suspended with CREATE_SUSPENDED to modify them before resuming.
  • UNAPIMON copies target DLLs to a temp local copy, loads them with LoadLibraryEx(DONT_RESOLVE_DLL_REFERENCES), and compares headers/exports to find patched exports.
  • For each patched export, the malware restores the original bytes (copies 8 bytes from the benign local copy into the child process) to “unpatch” hooked API functions.
  • By unhooking APIs in child processes, UNAPIMON defeats monitoring/sandboxing that relies on API hooks, allowing malicious child processes to run undetected.
  • Defensive recommendations include limiting admin privileges, frequent password rotation, and enforcing least privilege to reduce the impact of such techniques.

MITRE Techniques

  • [T1053.005] Scheduled Task/Job – Used to execute remote batch files and launch payloads: (‘creates a remote scheduled task using schtasks.exe’).
  • [T1543.003] Create or Modify System Process: Windows Service – Service restart used to force a service to load a malicious DLL: (‘copies a previously dropped %Windows%Installerhdr.bin to %System%TSMSISrv.DLL … then restarts the service. This will make the service load and execute the file %System%TSMSISrv.DLL.’).
  • [T1574.001] DLL Search Order Hijacking – Side-loading technique where a nonexistent library/service loads an attacker-controlled DLL into a privileged process: (‘second cc.bat first copies a previously dropped %Windows%Installerhdr.bin to %System%TSMSISrv.DLL’).
  • [T1055] Process Injection – Code was injected into vmtoolsd.exe (legitimate process) to start schtasks.exe and perform malicious actions: (‘a code of unknown origin was injected in vmtoolsd.exe that started schtasks.exe’).
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Reconnaissance and information-gathering commands were run via PowerShell and command shell: (‘powershell.exe -command “Get-NetAdapter |select InterfaceGuid”‘ and many cmd.exe commands listed).
  • [T1218] Signed Binary Proxy Execution / Living-off-the-Land Binaries – Use of legitimate Windows utilities (vmtoolsd.exe, schtasks.exe, cmd.exe) to execute and disguise malicious actions: (‘vmtoolsd.exe … creates a remote scheduled task using schtasks.exe’ and subsequent use of cmd.exe to execute commands).
  • [T1562.001] Impair Defenses: Disable or Modify Tools – UNAPIMON actively removes hooks from API exports in child processes to defeat API-based monitoring/sandboxing: (‘it copies 8 bytes from the loaded local copy (the original) to the remote address, which has been previously modified. This effectively removes any code patches applied to an exported address.’).

Indicators of Compromise

  • [File hash] Malware sample SHA256 – 62ad0407a9cce34afb428dee972292d2aa23c78cbc1a44627cb2e8b945195bc2 (Trojan.Win64.UNAPIMON.ZTLB).
  • [File names] Side-loading and payload names seen in the attack – %System%TSMSISrv.DLL, Windows%_{5-9 random letters}.dll, %Windows%Installerhdr.bin (used for DLL side-loading and dropped payloads).
  • [Processes/Services] Legitimate binaries abused – vmtoolsd.exe (injected), schtasks.exe (remote task creation), cmd.exe (backdoor command execution); SessionEnv service (used to trigger DLL load).
  • [Scripts/Batch files] Deployed scripts – %System%cc.bat and %Windows%Installercc.bat used for reconnaissance and backdoor deployment.

UNAPIMON is a straightforward, unpacked C++ DLL that installs a Microsoft Detours hook on CreateProcessW to intercept process creation. The hook calls the real CreateProcessW but with CREATE_SUSPENDED, enumerates a hardcoded list of DLLs loaded in the child process, copies each target DLL to a randomly named temp DLL, and loads the local copy with LoadLibraryEx(DONT_RESOLVE_DLL_REFERENCES) to obtain an unmodified reference image. It compares headers and export table entries to detect modified (hooked) exports by checking memory protections and opcode differences (e.g., 0xE8/0xE9 or mismatched first bytes).

After identifying modified export addresses, UNAPIMON writes the original first eight bytes from the benign local copy into the child process’ memory at each patched export address, effectively restoring the original API entry points (unpatching). Once all targeted exports are restored, it unloads and deletes the temporary local DLL copy and resumes the suspended main thread, allowing the child process to run without API hooks that monitoring tools rely on.

The attack chain used scheduled tasks to run reconnaissance (numerous net, wmic, ipconfig, and powershell commands), then leveraged a service-based DLL side-loading method to launch a backdoor (cmd.exe injecting/using the dropped Windows%_{…}.dll). The combination of DLL hijacking, CreateProcessW hooking/unhooking, and use of legitimate binaries enables the threat actor to evade API-based monitoring and sandboxing systems. Read more: https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint