The InvisiMole threat group has resurfaced in a new campaign, revealing a new toolset and a strategic collaboration with the high-profile Gamaredon advanced persistent threat (APT) group.
InvisiMole was first uncovered by ESET in 2018, with cyberespionage activity dating back to 2013 in operations in Ukraine and Russia. More recently, from late 2019 until at least this month, researchers have spotted the group attacking a few high-profile organizations in the military sector and diplomatic missions, both in Eastern Europe. These attacks were “highly targeted,” affecting only a few dozen computers.
This more recent campaign allowed researchers to find the “missing pieces of the puzzle” on the group’s latest tactics, techniques and procedures (TTPs), observing the group’s updated, sophisticated toolset being used for the delivery, lateral movement and execution of InvisiMole’s backdoors.
“After discovering new activity in late 2019, we gained the opportunity to take a proper look under the hood of InvisiMole’s operations and piece together the hidden parts of the story,” said researchers with ESET in a Thursday analysis, shared at ESET Virtual World 2020. “Analyzing the group’s updated toolset, we observed continuous development and substantial improvements, with special focus on staying under the radar.”
Updated Toolset
Back when InvisiMole was first uncovered in 2018, researchers documented two backdoors used by the threat group, RC2CL and RC2FM. These two backdoors feature various espionage functionalities, including recording the victim on their webcam and microphone, tracking the geolocation of the victim and collecting recently accessed documents.
The InvisiMole malware has since been updated with new changes aiming to add stealth to its operations. The updated InvisiMole toolset relies heavily on “living off the land” techniques, which are used across its four different execution chains, abusing legitimate applications to perform malicious operations while flying under the radar. For instance, the components used by InvisiMole malware are encrypted using a legitimate Windows feature named the Data Protection API, a feature that allows users to protect data in their apps. This tactic “ensures that the payload can only be decrypted and executed on the affected computer, thus protecting it from analysis by security researchers,” said researchers.
The updated InvisiMole toolset also features a new component that uses DNS tunneling for stealthier command-and-control (C2) communication. DNS tunneling involves encoding the data of other programs or protocols in DNS queries and responses; often involving data payloads that can be added to an attacked DNS server and used to control a remote server and applications.
Researchers also discovered that InvisiMole uses NSA exploit EternalBlue and BlueKeep exploit (CVE-2019-0708 and CVE-2017-0144, respectively) for lateral movement in its victims’ networks.
“In this recent campaign, the backdoor [uses] added functionality to scan the compromised network for hosts that support the vulnerable SMBv1.0 protocol,” said researchers. “InvisiMole uses this capability to spread in the network via the EternalBlue exploit.”
Gamaredon Link
During their investigation, researchers found attempts to deploy the InvisiMole malware using server infrastructure that is known to be used by Gamaredon. The Gamaredon APT, which has been active since at least 2013, is responsible for a number of high-profile attacks, including recent attacks on Ukrainian national security targets.
More recently, in 2020, the threat group gave its post-compromise toolset a facelift with the addition of a new Visual Basic for Applications (VBA) macro, targeting Microsoft Outlook users. Despite this recent innovation, the tools utilized by Gamaredon have historically been very simple and designed to gather sensitive data from compromised systems.
In its partnership with InvisiMole, researchers believe that Gamaredon plays a role in initially infiltrating networks of interest (typically via spear-phishing attacks) using these simple tools, and possibly gaining administrative privileges. Then, InvisiMole, whose more advanced tooling requires elevated rights, steps in.
“This discovery also reveals a previously unreported cooperation between the Gamaredon and InvisiMole groups,” said researchers. “However, it should be noted these two groups use different TTPs and have a varying level of sophistication—the Gamaredon group seems to make no effort in trying to stay under the radar, in contrast with the stealthiness of InvisiMole demonstrated in the recent campaign.”
Insider threats are different in the work-from home era. On June 24 at 2 p.m. ET, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyer, for a FREE webinar, “The Enemy Within: How Insider Threats Are Changing.” Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about it. Please register here for this Threatpost webinar.