Cyber security researchers today exposed the actions of an elusive group of threats hacking into high-profile military and diplomatic units in Eastern Europe for espionage.
The results are part of a collaborative analysis of the cyber security company ESET and the companies concerned, which provides a comprehensive insight into InvisiMole's operations and the Group's tactics, tools and procedures (TTPs).
"ESET researchers have investigated these attacks in collaboration with the organizations concerned and have been able to uncover the extensive, sophisticated tool sets used for the delivery, sideways movement and execution of InvisiMole's back doors," said a report written with The Hacker News was shared.
Cooperation with the Gamaredon Group
InvisiMole was first discovered in 2018 and has been active in Ukraine and Russia in connection with targeted cyber espionage operations since at least 2013. After falling under the radar, the threat actor returned at the end of last year with an updated toolset and previously unreported malware disguise tactics.
"InvisiMole has a modular architecture that begins its journey with a wrapper DLL and carries out its activities with two other modules that are embedded in its resources," ESET researchers said in a June 2018 report. "Both modules are feature-rich backdoors that allow them to gather as much information as possible about the target."
The feature-rich spyware, known as RC2FM and RC2CL, has been found to be able to make system changes, scan wireless networks to track victim geolocation, collect user information, and even upload sensitive files that reside on the compromised computer are located. However, the exact mechanism of malware delivery has so far been unclear.
ESET not only found evidence of "life from the country" techniques that use legitimate applications to secretly perform malicious operations, but also discovered links to a second threat actor, Gamaredon, who has long carried out cyberattacks against Ukrainian institutions.
"Gamaredon is used to pave the way for a much more hidden payload. According to our telemetry, a small number of Gamaredon targets are" updated "for the advanced InvisiMole malware, probably the ones that the attackers consider to be particularly significant." , the researchers added. The malware is only deployed after the attackers have been granted administrative privileges, because many InvisiMole execution methods require elevated privileges.
As soon as the first compromise is reached, InvisiMole exploits the security vulnerabilities of BlueKeep (CVE-2019-0708) and EternalBlue (CVE-2017-0144) in RDP and SMB protocols or uses trojanized documents and software installation programs to access the network laterally to spread.
In addition to using updated versions of the RC2CL and RC2FM backdoors, the malware uses a new TCS downloader to download additional modules and a DNS downloader, which in turn uses DNS tunneling to communicate with an attacker-controlled server mask.
"With DNS tunneling, the vulnerable client does not contact the C&C server directly. It only communicates with the benign DNS servers with which the victim's computer would normally communicate and sends requests to resolve a domain to its IP address . " Researchers said. "The DNS server then contacts the name server responsible for the domain in the request, which is an attacker-controlled name server, and returns its response to the client."
RC2CL and RC2FM: Fully functional spyware
In addition, the final RC2CL and RC2FM payload was provided through no less than four different execution chains, which were assembled by combining malicious shell code with legitimate tools and vulnerable executables.
The enhanced RC2CL back door supports up to 87 commands and offers the ability to turn on webcam and microphone devices to take photos, take videos and sound, take screenshots, collect network information, list installed software and monitor recently accessed documents from the victim. Although RC2FM is not used very often, it has its own set of document exfiltration commands, as well as new functions for logging keystrokes and bypassing user access control (UAC).
In addition, the new versions of RC2CL and RC2FM have their own means of escaping virus detection, including injection into other harmless processes and the suppression of specific functions such as keylogging.
"The targets, which the attackers consider to be particularly important, will be upgraded from relatively simple Gamaredon malware to advanced InvisiMole malware," said ESET researcher Zuzana Hromcová. This previously unknown collaboration between the two groups "enables the InvisiMole group to develop creative ways of working under the radar," she added.