Antivirus

This previously unknown malware has some crafty tricks for avoiding antivirus

Cybersecurity researchers from Trend Micro have uncovered a brand new piece of malware that uses an unusual method of hiding from antivirus programs. The malware is called UNAPIMON, and is apparently being used by Winnti, an established Chinese state-sponsored threat actor that was behind some of the most devastating attacks against governments, hardware and software

Cybersecurity researchers from Trend Micro have uncovered a brand new piece of malware that uses an unusual method of hiding from antivirus programs.

The malware is called UNAPIMON, and is apparently being used by Winnti, an established Chinese state-sponsored threat actor that was behind some of the most devastating attacks against governments, hardware and software vendors, think tanks, and more.

According to Trend Micro, many malware variants are using a method known as API hooking to eavesdrop on calls, grab sensitive data, and tweak different software. Therefore, many security tools also use API hooking to track the malware.

Simplicity and originality

“With UNAPIMON, things are different. It uses Microsoft Detours for hooking the CreateProcessW API function, which allows it to unhook critical API functions in child processes. As a result, it successfully evades antivirus detection. 

A unique and notable feature of this malware is its simplicity and originality,” Trend Micro said in its report. “Its use of existing technologies, such as Microsoft Detours, shows that any simple and off-the-shelf library can be used maliciously if used creatively. This also displayed the coding prowess and creativity of the malware writer.”

“In typical scenarios, it is the malware that does the hooking. However, it is the opposite in this case.”

Using Microsoft Detours in this regard has other benefits, too, the researchers expla

Read More

Be the first to write a comment.

Leave a Reply

Your email address will not be published. Required fields are marked *

Antivirus

Bitdefender Total Security review: One of the top antivirus options you can buy

Bitdefender bundles antivirus and anti-malware with other digital privacy tools to keep you safer. Here’s how it works…

Bitdefender bundles antivirus and anti-malware with other digital privacy tools to keep you safer. Here’s how it works…
Read More

Continue Reading
Antivirus

Best free antivirus 2024: Keep your PC safe without spending a dime

A lot of time is spent looking at the best paid antivirus suites, but free antivirus solutions are worth discussion, too. After all, free versions are based on their paid counterparts. Good news is, when you see a free alternative to a paid version you like…

A lot of time is spent looking at the best paid antivirus suites, but free antivirus solutions are worth discussion, too. After all, free versions are based on their paid counterparts.

Good news is, when you see a free alternative to a paid version you like…
Read More

Continue Reading
Antivirus

Avast security tools hijacked in order to crack antivirus protection

Researchers spot new campaign that can turn off antivirus protection Malware uses legitimate Avast Anti-Rootkit driver to access kernel level Once antivirus is deactivated, the malware can proceed without detection Hackers are using a legitimate Avast Anti-Rootkit driver to disguise their malware, turn off antivirus protection, and infect systems, experts have warned. The vulnerable driver


  • Researchers spot new campaign that can turn off antivirus protection
  • Malware uses legitimate Avast Anti-Rootkit driver to access kernel level
  • Once antivirus is deactivated, the malware can proceed without detection

Hackers are using a legitimate Avast Anti-Rootkit driver to disguise their malware, turn off antivirus protection, and infect systems, experts have warned.

The vulnerable driver has been exploited in a number of attacks since 2021, with the original vulnerabilities being present since at least 2016, research by Trellix, has claimed, noting the malware can use the vulnerable driver to end the processes of security software at the kernel level.

The malware in question belongs to the AV Killer family, with the attack using a vector known as bring-your-own-vulnerable-driver (BYOVD) to infect the system.

Virus can turn off antivirus

Trellix outlined how the malware uses a file named ‘kill-floor.exe’ to place the vulnerable driver named ‘ntfs.bin’ into the default Windows user folder, before using the Service Control executable (sc.exe) to register the driver using the ‘aswArPot.sys’ service.

Included within the malware is a hardcoded list of 142 processes used by common security products, which is used to check system process snapshots for any matches.

The malware then uses the ‘DeviceIoControl’ API to run the relevant commands to end the process, thereby preventing the antivirus from detecting the malware.

The hardcoded list includes processes belonging to a number of security products from names such as McAfee, Avast, Microsoft Defender, BlackBerry, Sophos, and many more.

As BleepingComputer points out, this isn’t the first time a BYOVD attack has exploited a vulnerable Avast driver, with the 2021 Avoslocker ransomware attacks abusing an Avast Anti-R

Read More

Continue Reading
Antivirus

The best antivirus software for staying protected online

The top antivirus software options to protect your personal and financial data when shopping or browsing online…

The top antivirus software options to protect your personal and financial data when shopping or browsing online…
Read More

Continue Reading