Russia-linked InvisiMole APT targets state organizations of Ukraine

Ukraine CERT (CERT-UA) warns of spear-phishing ​​attacks conducted by UAC-0035 group (aka InvisiMole) on state organizations of Ukraine.

The Government Team for Response to Computer Emergencies of Ukraine (CERT-UA) warns of spear-phishing messages conducted by UAC-0035 group (aka InvisiMole) against Ukrainian state bodies. The messages use an archive named “501_25_103.zip”, which contains a shortcut file. Upon opening the LNK file, an HTA file will be downloaded and executed on the victim’s computer. 

The HTA file contains a VBScript code that fetches and decodes the bait file and the malicious program LoadEdge backdoor.

Then the backdoor contacts the command-and-control (C2) server to downloads and executes other malicious payloads, including the TunnelMole, malware that abuses the DNS protocol to establish a tunnel for malicious purposes, and RC2FM and RC2CL. The LoadEdge backdoor maintains persistence through the Windows registry. 

“The Government Team for Response to Computer Emergencies of Ukraine CERT-UA received a notification from the subject of coordination on the distribution of e-mails among state bodies of Ukraine.” reads the advisory published by CERT-UA. “The activity is associated with the activities of the UAC-0035 group (InvisiMole). Note that the date of compilation of the malicious program LoadEdge – 24.02.2022.”

Ukraine’s CERT also shared Indicators of compromise (IoCs) for the recent attacks.

The InvisiMole group is a Russia-linked threat actor that has been active since at least 2013- ESET experts linked the group to the Gamaredon Russian APT group, despite it is considering the two crews independent.

The group was first spotted by ESET in 2018, when the experts detected a sophisticated piece of spyware, tracked as InvisiMole, used in targeted attacks in Russia and Ukraine in the previous five years.

In past campaigns, the group targeted a small number of high-profile organizations in the military sector and diplomatic missions in Eastern Europe.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, InvisiMole)

[adrotate banner=”5″]

[adrotate banner=”13″]