EXECUTIVE SUMMARY
The InvisiMole group is a threat actor operating since at least 2013, whose malware was first reported by ESET in 2018 in connection with targeted cyberespionage operations in Ukraine and Russia.
We previously documented its two feature-rich backdoors, RC2CL and RC2FM, that provide extensive espionage capabilities such as recording from the victim’s webcam and microphone, tracking the geolocation of the victims, and collecting recently accessed documents.
However, little was known about the rest of the group’s tactics, techniques and procedures (TTPs).
In late 2019, the InvisiMole group resurfaced with an updated toolset, targeting a few high-profile organizations in the military sector and diplomatic missions, both in Eastern Europe.
ESET researchers conducted an investigation of these attacks in cooperation with the affected organizations and were able to uncover the extensive, sophisticated toolset used for delivery, lateral movement and execution of InvisiMole’s backdoors—the missing pieces of the puzzle in our previous research. The investigation also uncovered previously unknown cooperation between the InvisiMole group and Gamaredon, a highly active threat group also operating since at least 2013, and mainly targeting Ukrainian institutions.
Analyzing InvisiMole’s updated toolset, we discovered that:
- The changes in the InvisiMole malware (compared to versions analyzed in 2018) aim to prevent revealing and reconstructing the operation
- The updated InvisiMole toolset relies heavily on so-called “living off the land” techniques, abusing legitimate applications to perform malicious operations while flying under the radar
- InvisiMole utilizes a variety of vulnerable executables and exploits them for covert code execution and long-term persistence
- Apart from exploiting vulnerable executables it introduces to victims’ machines, InvisiMole also uses EternalBlue and BlueKeep exploits for lateral movement in its victims’ networks
- InvisiMole employs long execution chains, crafted by combining legitimate tools and encrypted shellcode stored in the registry
- The components are encrypted per-victim using a Windows feature named Data Protection API, which ensures that the payload can only be decrypted and executed on the affected computer, thus protecting it from analysis by security researchers
- The updated InvisiMole toolset features a new component that uses DNS tunneling for stealthier C&C communication
In this white paper, we will provide an in-depth technical analysis of the newest InvisiMole toolset, offering a unique look into the TTPs of the elusive InvisiMole group.