Earth Freybug, a China-linked actor, has been observed employing malware to circumvent existing safeguards designed to surveil Windows application programming interfaces (APIs) for potential malicious activities. UNAPIMON, a malware identified by Trend Micro, disables hooks within Windows APIs responsible for scrutinizing API processes for security purposes.
The malware attempts to “unhook critical API functions in any child process,” Trend Micro said.
It works to prevent processes that malware spawns, to evade sandboxes, anti-virus, and other detection mechanisms. This would allow malicious code to run undetected. It prevents child processes from being monitored.
The group is believed to be a subset of APT41 (CH speaking) with associations to Wicked Panda, Barium, and Suckfly. The threat actor has ben seen using LOLbins to leverage WMI and PowerShell. Active since 2012, research suggests their primary motive is financial. APT41 tends to target industries in the US and Asia, with trade secret and intellectual property theft in large volumes.