In a recent campaign, the elusive InvisiMole group has been targeting a small number of high-profile organizations in the military sector and diplomatic missions in Eastern Europe, ESET reports.
First reported on in 2018 but active since at least 2013, InvisiMole appears to be tightly connected to the Russia-linked threat group Gamaredon, which is also believed to have started activity in 2013. Despite the groups’ close connection, ESET believes they are separate entities.
An analysis of recent attacks, which started in late 2019 and appear to be ongoing, revealed that InvisiMole’s tools are dropped only on environments that have been previously compromised by Gamaredon.
In fact, a .NET downloader associated with Gamaredon is used for InvisiMole deployment, but only on a small number of targets, likely those that have been deemed of interest.
“Our research suggests that targets considered particularly significant by the attackers are upgraded from relatively simple Gamaredon malware to the advanced InvisiMole malware. This allows the InvisiMole group to devise creative ways of operating under the radar,” comments Zuzana Hromcová, the ESET researcher who analyzed InvisiMole.
During attacks, the threat actor has been actively updating its toolset, through the redesign and recompiling of existing components and the addition of new tools. ESET discovered multiple versions of one of the employed backdoors, including some freshly compiled prior to deployment.
Once it has established a foothold into a compromised environment, InvisiMole uses several techniques for lateral movement, including the BlueKeep (CVE-2019-0708) and EternalBlue (CVE-2017-0144) vulnerabilities, and trojanized documents and software installers (which replace original versions within the compromised organization).
The first component deployed on newly compromised machines is a TCP downloader, designed to fetch the next stage. In some cases, the attackers used a DNS downloader that was designed for persistent, covert access to the machine, and which uses DNS tunneling for command and control (C&C) communication.
In the new attacks, in addition to the TCP and DNS downloaders, InvisiMole has adopted the use of long execution chains for the deployment of final payloads, namely updated variants of the RC2CM and RC2CL backdoors.
The observed long execution chains include: covert execution in the context of the Control Panel, exploitation of a Total Video Player vulnerability, exploitation of a local privilege escalation vulnerability in the speedfan.sys driver, and exploitation of a vulnerability in the Windows wdigest.dll library.
According to ESET, one of the tactics that makes InvisiMole stand out in the crowd, in addition to per-victim encryption, is the exclusive use of legitimate tools during the early stages of infection, with the malicious payloads reserved for later stages.
The threat actor abuses the DPAPI feature (which was designed for the local storage of credentials such as Wi-Fi passwords, or that of passwords in web browsers) to keep their payload protected from security researchers.
“After discovering new activity in late 2019, we gained the opportunity to take a proper look under the hood of InvisiMole’s operations and piece together the hidden parts of the story. Analyzing the group’s updated toolset, we observed continuous development and substantial improvements, with special focus on staying under the radar,” ESET says.