In-depth insights into the operations and methods of the elusive InvisiMole organization have been revealed by ESET following an investigation into a new campaign by the espionage group. In this campaign, the group targeted a number of high profile military and diplomatic bodies in Eastern Europe from late 2019 until at least June 2020.
ESET investigators found that InvisiMole collaborated with another cyber-threat actor, Gamaredon, to help it make attacks. Gamaredon would infiltrate the network of interest, potentially gaining administrative privileges, before InvisiMole moved in to launch malware.
ESET researcher Zuzana Hromcová explained: “Our research suggests that targets considered particularly significant by the attackers are upgraded from relatively simple Gamaredon malware to the advanced InvisiMole malware. This allows the InvisiMole group to devise creative ways of operating under the radar.”
The team also discovered four different execution chains InvisiMole uses, created by combining malicious shellcode with legitimate tools and vulnerable executables. The group’s malware is able to remain hidden by protecting components with per-victim encryption, meaning the payload can only be decrypted and executed on the affected computer. InvisiMole was also observed to have a new component that uses DNS tunneling for stealthier C&C communication.
“We were able to document the extensive toolset used for delivery, lateral movement and execution of InvisiMole’s backdoors,” noted Anton Cherepanov, the ESET malware researcher who led the investigation.
InvisiMole is understood to have been active since at least 2013, and has been connected to cyber-espionage campaigns in Ukraine and Russia, including spying on victims using two feature-rich backdoors. The new analysis highlights how the group has significantly improved its abilities to conduct cyber-espionage.
Hromcová added: “With this new knowledge, we’ll be able to track the group’s malicious activities even more closely.”