VMware Instruments is a element put in in VMware-based digital machines in an effort to talk with the host system and allow file and clipboard operations in addition to shared folders and drivers. “Though the origin of the malicious code in vmtoolsd.exe on this incident is unknown, there have been documented infections whereby vulnerabilities in respectable purposes have been exploited through susceptible external-facing servers,” the Development Micro researchers stated.
One of many created scheduled duties executes a batch program known as cc.bat that incorporates a sequence of instructions to collect details about the system together with its identify, native IP deal with, operating processes, out there accounts together with directors, the area it’s a part of and rather more. The data is gathered via Home windows command-line utilities and the output is saved to a textual content file.
This system then executes a second scheduled duties that launches one other file batch program known as cc.bat that’s completely different from the primary one. This second program copies a beforehand dropped file known as hdr.bin to %SystempercentTSMSISrv.DLL after which restarts the SessionEnv Home windows service.
How UNAPIMON is utilizing DLL hijacking
This system is called DLL hijacking as a result of the SessionEnv service robotically seems to be for the library known as TSMSISrv.DLL to load it when it begins. The attackers benefit from this by planting their very own malicious DLL file with that identify, the benefit being that their malicious code is now loaded into reminiscence by a respectable course of and repair, probably evading some behavioral detections by security merchandise.
The malicious code from TSMSISrv.DLL drops one other randomly named DLL file and injects it into a brand new occasion of cmd.exe, the Home windows command-line shell. This new cmd.exe course of then listens for instructions acquired from a distant machine and executes them, primarily appearing as a backdoor.
Nevertheless, the DLL file injected into it’s the one which stands out as a result of it’s meant to cover the habits of kid processes through the use of an uncommon approach that the Development Micro researchers describe as software programming interface (API) unhooking.
