This new malware employs clever tactics to avoid detection by antivirus software.
Cybersecurity researchers from Trend Micro recently uncovered a sophisticated piece of malware known as UNAPIMON that is using a unique method to avoid detection by antivirus programs.
The malware has been linked to Winnti, an established Chinese state-sponsored threat actor responsible for significant attacks against governments, hardware and software vendors, and think tanks.
Unlike many malware variants that use API hooking to intercept calls and manipulate software, UNAPIMON utilizes Microsoft Detours to hook the CreateProcessW API function in a way that allows it to evade detection by antivirus software. This unconventional approach showcases the malware’s simplicity and originality, highlighting the ingenuity of its creators.
Typically, malware conducts the hooking process, but in this case, the malware takes on a different role by leveraging Microsoft Detours for its malicious activities. The use of this legitimate debugging tool further enhances its ability to bypass behavioral detection mechanisms.
Notably, the Winnti hackers have a reputation for employing innovative techniques to avoid detection during their attacks. In the past, they have utilized methods such as abusing Windows print processors to conceal malware and fragmenting a Cobalt Strike beacon into numerous pieces to evade detection until needed.
These tactics emphasize the group’s advanced capabilities and their commitment to staying undetected while carrying out malicious activities.
Evading Detection with Microsoft Detours
According to Trend Micro, the use of Microsoft Detours by UNAPIMON enables it to unhook critical API functions within child processes, allowing it to avoid detection by antivirus programs. This novel approach demonstrates the malware’s ability to leverage existing technologies in creative and malicious ways.
By employing Microsoft Detours, the malware not only evades traditional antivirus detection methods but also showcases the expertise and innovation of its developers. The unique use of this off-the-shelf library underscores the sophisticated nature of the UNAPIMON malware.
Winnti Hackers: Masters of Evasion
The Winnti hackers have a history of utilizing unconventional methods to evade detection during their cyber-attacks. Their adeptness at hiding malware within legitimate processes and fragmenting malicious tools demonstrates their sophistication and skill in the realm of cybersecurity evasion.
By continually evolving their tactics and leveraging advanced techniques like API hooking with Microsoft Detours, the Winnti group remains a formidable threat in the cybersecurity landscape, posing significant challenges to security researchers and organizations worldwide.
