Virtual Event Today: Cyber AI & Automation Summit - Register/Login Now
Connect with us

Hi, what are you looking for?



InvisiMole Group Hits Military, Diplomats in Highly Targeted Campaign

In a recent campaign, the elusive InvisiMole group has been targeting a small number of high-profile organizations in the military sector and diplomatic missions in Eastern Europe, ESET reports.

In a recent campaign, the elusive InvisiMole group has been targeting a small number of high-profile organizations in the military sector and diplomatic missions in Eastern Europe, ESET reports.

First reported on in 2018 but active since at least 2013, InvisiMole appears to be tightly connected to the Russia-linked threat group Gamaredon, which is also believed to have started activity in 2013. Despite the groups’ close connection, ESET believes they are separate entities.

An analysis of recent attacks, which started in late 2019 and appear to be ongoing, revealed that InvisiMole’s tools are dropped only on environments that have been previously compromised by Gamaredon.

In fact, a .NET downloader associated with Gamaredon is used for InvisiMole deployment, but only on a small number of targets, likely those that have been deemed of interest.

“Our research suggests that targets considered particularly significant by the attackers are upgraded from relatively simple Gamaredon malware to the advanced InvisiMole malware. This allows the InvisiMole group to devise creative ways of operating under the radar,” comments Zuzana Hromcová, the ESET researcher who analyzed InvisiMole.

During attacks, the threat actor has been actively updating its toolset, through the redesign and recompiling of existing components and the addition of new tools. ESET discovered multiple versions of one of the employed backdoors, including some freshly compiled prior to deployment.

Once it has established a foothold into a compromised environment, InvisiMole uses several techniques for lateral movement, including the BlueKeep (CVE-2019-0708) and EternalBlue (CVE-2017-0144) vulnerabilities, and trojanized documents and software installers (which replace original versions within the compromised organization).

The first component deployed on newly compromised machines is a TCP downloader, designed to fetch the next stage. In some cases, the attackers used a DNS downloader that was designed for persistent, covert access to the machine, and which uses DNS tunneling for command and control (C&C) communication.

Advertisement. Scroll to continue reading.

In the new attacks, in addition to the TCP and DNS downloaders, InvisiMole has adopted the use of long execution chains for the deployment of final payloads, namely updated variants of the RC2CM and RC2CL backdoors.

The observed long execution chains include: covert execution in the context of the Control Panel, exploitation of a Total Video Player vulnerability, exploitation of a local privilege escalation vulnerability in the speedfan.sys driver, and exploitation of a vulnerability in the Windows wdigest.dll library.

According to ESET, one of the tactics that makes InvisiMole stand out in the crowd, in addition to per-victim encryption, is the exclusive use of legitimate tools during the early stages of infection, with the malicious payloads reserved for later stages.

The threat actor abuses the DPAPI feature (which was designed for the local storage of credentials such as Wi-Fi passwords, or that of passwords in web browsers) to keep their payload protected from security researchers.

“After discovering new activity in late 2019, we gained the opportunity to take a proper look under the hood of InvisiMole’s operations and piece together the hidden parts of the story. Analyzing the group’s updated toolset, we observed continuous development and substantial improvements, with special focus on staying under the radar,” ESET says.

Related: Aerospace, Military Hit in Ongoing Espionage Campaign Linked to North Korea

Related: Russian ‘Gamaredon’ Hackers Back at Targeting Ukraine Officials

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.