Pierluigi Paganini June 18, 2020

Researchers uncovered a recent campaign carried out by the InvisiMole group that has been targeting a small number of high-profile organizations.

Security researchers at ESET recently uncovered a campaign carried out by the InvisiMole group that has been targeting a small number of high-profile organizations in the military sector and diplomatic missions in Eastern Europe.

The group was first spotted by ESET in 2018, when the experts detected a sophisticated piece of spyware, tracked as InvisiMole, used in targeted attacks in Russia and Ukraine in the previous five years.

The group has been active since at least 2013, ESET experts linked the group to the Gamaredon Russian APT group Gamaredon despite considers the two crews independent.

Experts noticed that in the recent campaign, threat actors dropped InvisiMole’s tools only on systems that have been previously compromised by Gamaredon.

“We discovered InvisiMole’s arsenal is only unleashed after another threat group, Gamaredon, has already infiltrated the network of interest, and possibly gained administrative privileges. This allows the InvisiMole group to devise creative ways to operate under the radar.” reads the analysis published by ESET.

“For example, the attackers use long execution chains, crafted by combining malicious shellcode with legitimate tools and vulnerable executables. They use DNS tunneling for stealthier C&C communications, and place execution guardrails on the malicious components to hide the malware from security researchers.”

Threat actors drop InvisiMole tools and malicious code on a small number of targets using a .NET downloader associated with Gamaredon likely those that have been deemed of interest.

The group resurfaced with an updated toolset, experts also observed the InvisiMole implant being spread within compromised networks in the following ways:

• Using the BlueKeep vulnerability in the RDP protocol (CVE-2019-0708)
• Using the EternalBlue vulnerability in the SMB protocol (CVE-2017-0144)
• Using trojanized documents and software installers, crafted using benign files stolen from the compromised organization

The attack chain begins with the deployment of a TCP downloader that fetches the next stage payload. Experts also observed attackers using a DNS downloader that was designed for long-term, covert access to the target machine. The downloader communicates with C2 servers using DNS tunneling.

In the recent campaign, the group used long execution chains to deploy final payloads that are updated variants of the RC2CM and RC2CL backdoors.

Experts observed the following execution chains used by the attackers:

• The Control Panel misuse chain uses a rare technique known from Vault 7 leaks, used to achieve covert execution in the context of the Control Panel.
• The SMInit exploit chain exploits a vulnerability in the legitimate Total Video Player software. It is used in cases where the attackers haven’t managed to obtain administrative privileges on the system.
• The Speedfan exploit chain exploits a local privilege escalation vulnerability in the speedfan.sys driver to inject its code to a trusted process from kernel mode.
• The Wdigest exploit chain is InvisiMole’s flagship chain, the most elaborate, used on the newest versions of Windows, where the attackers have administrative privileges. It exploits a vulnerability in the Windows wdigest.dll library and then uses an improved ListPlanting technique to inject its code into a trusted process.

The activity of the group is characterized by the heavy use of legitimate tools and per-victim encryption in the early stages of the attack chains.

“After discovering new activity in late 2019, we gained the opportunity to take a proper look under the hood of InvisiMole’s operations and piece together the hidden parts of the story. Analyzing the group’s updated toolset, we observed continuous development and substantial improvements, with special focus on staying under the radar,” ESET concludes.

Pierluigi Paganini

(SecurityAffairs – hacking, InvisiMole)

[adrotate banner=”5″]

[adrotate banner=”13″]