VMware Tools is a component installed in VMware-based virtual machines in order to communicate with the host system and enable file and clipboard operations as well as shared folders and drivers. “Although the origin of the malicious code in vmtoolsd.exe in this incident is unknown, there have been documented infections wherein vulnerabilities in legitimate applications were exploited via vulnerable external-facing servers,” the Trend Micro researchers said.
One of the created scheduled tasks executes a batch program called cc.bat that contains a series of commands to gather information about the system including its name, local IP address, running processes, available accounts including administrators, the domain it’s part of and much more. The information is gathered through Windows command-line utilities and the output is saved to a text file.
The program then executes a second scheduled tasks that launches another file batch program called cc.bat that’s different from the first one. This second program copies a previously dropped file called hdr.bin to %System%TSMSISrv.DLL and then restarts the SessionEnv Windows service.
How UNAPIMON is using DLL hijacking
This technique is known as DLL hijacking because the SessionEnv service automatically looks for the library called TSMSISrv.DLL to load it when it starts. The attackers take advantage of this by planting their own malicious DLL file with that name, the advantage being that their malicious code is now loaded into memory by a legitimate process and service, potentially evading some behavioral detections by security products.
The malicious code from TSMSISrv.DLL drops another randomly named DLL file and injects it into a new instance of cmd.exe, the Windows command-line shell. This new cmd.exe process then listens for commands received from a remote machine and executes them, essentially acting as a backdoor.
However, the DLL file injected into it is the one that stands out because it’s meant to hide the behavior of child processes by using an unusual technique that the Trend Micro researchers describe as application programming interface (API) unhooking.
