Security researchers at ESET recently uncovered a campaign carried out by the InvisiMole group that has been targeting a small number of high-profile organizations in the military sector and diplomatic missions in Eastern Europe.
The group was first spotted by ESET in 2018, when the experts detected a sophisticated piece of spyware, tracked as InvisiMole, used in targeted attacks in Russia and Ukraine in the previous five years.
The group has been active since at least 2013, ESET experts linked the group to the Gamaredon Russian APT group Gamaredon despite considers the two crews independent.
Experts noticed that in the recent campaign, threat actors dropped InvisiMole’s tools only on systems that have been previously compromised by Gamaredon.
“We discovered InvisiMole’s arsenal is only unleashed after another threat group, Gamaredon, has already infiltrated the network of interest, and possibly gained administrative privileges. This allows the InvisiMole group to devise creative ways to operate under the radar.” reads the analysis published by ESET.
“For example, the attackers use long execution chains, crafted by combining malicious shellcode with legitimate tools and vulnerable executables. They use DNS tunneling for stealthier C&C communications, and place execution guardrails on the malicious components to hide the malware from security researchers.”
Threat actors drop InvisiMole tools and malicious code on a small number of targets using a .NET downloader associated with Gamaredon likely those that have been deemed of interest.
The group resurfaced with an updated toolset, experts also observed the InvisiMole implant being spread within compromised networks in the following ways:
The attack chain begins with the deployment of a TCP downloader that fetches the next stage payload. Experts also observed attackers using a DNS downloader that was designed for long-term, covert access to the target machine. The downloader communicates with C2 servers using DNS tunneling.
In the recent campaign, the group used long execution chains to deploy final payloads that are updated variants of the RC2CM and RC2CL backdoors.
Experts observed the following execution chains used by the attackers:
The activity of the group is characterized by the heavy use of legitimate tools and per-victim encryption in the early stages of the attack chains.
“After discovering new activity in late 2019, we gained the opportunity to take a proper look under the hood of InvisiMole’s operations and piece together the hidden parts of the story. Analyzing the group’s updated toolset, we observed continuous development and substantial improvements, with special focus on staying under the radar,” ESET concludes.
(SecurityAffairs – hacking, InvisiMole)