Security News > 2024 > April > Winnti's new UNAPIMON tool hides malware from security software
The Chinese 'Winnti' hacking group was found using a previously undocumented malware called UNAPIMON to let malicous processes run without being detected.
UNAPIMON is a C++ malware delivered in DLL form, which uses Microsoft Detours for hooking the CreateProcessW API function, allowing it to unhook critical API functions in child processes.
Because many security tools employ API hooking to track malicious activity, UNAPIMON's mechanism allows it to unhook those APIs from a malicious child process to evade detection.
Modifies the process creation call to start the new process in a suspended state, allowing for manipulation before the process runs.
Compares the copied DLLs against the originals in the process, looking for modifications in exported addresses that indicate security software hooks.
Trend Micro explains that most malware employs hooking to intercept calls, capture sensitive data, and alter software behavior.