In a recent campaign, the elusive InvisiMole group has been targeting a small number of high-profile organizations in the military sector and diplomatic missions in Eastern Europe, ESET reports.
First reported on in 2018 but active since at least 2013, InvisiMole appears to be tightly connected to the Russia-linked threat group Gamaredon, which is also believed to have started activity in 2013. Despite the groups’ close connection, ESET believes they are separate entities.
An analysis of recent attacks, which started in late 2019 and appear to be ongoing, revealed that InvisiMole’s tools are dropped only on environments that have been previously compromised by Gamaredon.
In fact, a .NET downloader associated with Gamaredon is used for InvisiMole deployment, but only on a small number of targets, likely those that have been deemed of interest.
“Our research suggests that targets considered particularly significant by the attackers are upgraded from relatively simple Gamaredon malware to the advanced InvisiMole malware. This allows the InvisiMole group to devise creative ways of operating under the radar,” comments Zuzana Hromcová, the ESET researcher who analyzed InvisiMole.
During attacks, the threat actor has been actively updating its toolset, through the redesign and recompiling of existing components and the addition of new tools. ESET discovered multiple versions of one of the employed backdoors, including some freshly compiled prior to deployment.
Once it has established a foothold into a compromised environment, InvisiMole uses several techniques for lateral movement, including the BlueKeep (CVE-2019-0708) and EternalBlue (CVE-2017-0144) vulnerabilities, and trojanized documents and software installers (which replace original versions within the compromised organization).
The first component deployed on newly compromised machines is a TCP downloader, designed to fetch the next stage. In some cases, the attackers used a DNS downloader that was designed for persistent, covert access to the machine, and which uses DNS tunneling for command and control (C&C) communication.
In the new attacks, in addition to the TCP and DNS downloaders, InvisiMole has adopted the use of long execution chains for the deployment of final payloads, namely updated variants of the RC2CM and RC2CL backdoors.
The observed long execution chains include: covert execution in the context of the Control Panel, exploitation of a Total Video Player vulnerability, exploitation of a local privilege escalation vulnerability in the speedfan.sys driver, and exploitation of a vulnerability in the Windows wdigest.dll library.
According to ESET, one of the tactics that makes InvisiMole stand out in the crowd, in addition to per-victim encryption, is the exclusive use of legitimate tools during the early stages of infection, with the malicious payloads reserved for later stages.
The threat actor abuses the DPAPI feature (which was designed for the local storage of credentials such as Wi-Fi passwords, or that of passwords in web browsers) to keep their payload protected from security researchers.
“After discovering new activity in late 2019, we gained the opportunity to take a proper look under the hood of InvisiMole’s operations and piece together the hidden parts of the story. Analyzing the group’s updated toolset, we observed continuous development and substantial improvements, with special focus on staying under the radar,” ESET says.
Related: Aerospace, Military Hit in Ongoing Espionage Campaign Linked to North Korea
Related: Russian ‘Gamaredon’ Hackers Back at Targeting Ukraine Officials

More from Ionut Arghire
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Adobe Inviting Researchers to Private Bug Bounty Program
- Critical Vulnerabilities Found in Faronics Education Software
Latest News
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Apple Denies Helping US Government Hack Russian iPhones
