Investigating a new campaign by the InvisiMole group, a threat actor first reported by ESET in 2018, ESET researchers uncovered the group’s updated toolset as well as previously unknown details about its mode of operation. The findings arise from a collaborative investigation with the affected organizations. In its new campaign, the InvisiMole group resurfaced with an updated toolset, targeting a few high-profile organizations in the military sector and diplomatic missions, both in Eastern Europe. According to ESET telemetry, the attack attempts were ongoing from late 2019 to at least June 2020, when ESET researchers published their findings.
InvisiMole, active since at least 2013, was first documented by ESET in connection with targeted cyberespionage operations in Ukraine and Russia, using two feature-rich backdoors to spy on victims. “Back then, we found these surprisingly well-equipped backdoors, but a large part of the picture was missing – we didn’t know how they were delivered, spread and installed on the system,” explains Zuzana Hromcová, ESET researcher who analyzed InvisiMole.
Thanks to investigating the attacks in cooperation with the affected organizations, ESET researchers gained an opportunity to take a proper look under the hood of InvisiMole’s operations. “We were able to document the extensive toolset used for delivery, lateral movement and execution of InvisiMole’s backdoors,” says Anton Cherepanov, the ESET malware researcher who led the investigation.
One of the main findings of the investigation concerns InvisiMole group’s cooperation with another threat group, Gamaredon. The researchers discovered that InvisiMole’s arsenal is only unleashed after Gamaredon has already infiltrated the network of interest, and possibly gained administrative privileges. “Our research suggests that targets considered particularly significant by the attackers are upgraded from relatively simple Gamaredon malware to the advanced InvisiMole malware. This allows the InvisiMole group to devise creative ways of operating under the radar,” comments Hromcová.
As for staying under the radar, the researchers found that InvisiMole uses four different execution chains, crafted by combining malicious shellcode with legitimate tools and vulnerable executables. To hide the malware from security researchers, InvisiMole components are protected with per-victim encryption, ensuring that the payload can only be decrypted and executed on the affected computer. The updated InvisiMole toolset also features a new component that uses DNS tunneling for stealthier C&C communication.
Analyzing the group’s updated toolset, the researchers observed substantial improvements compared to the previously analyzed versions. “With this new knowledge, we’ll be able to track the group’s malicious activities even more closely,” concludes Hromcová.